Merge pull request #10020 from bensze01/msvc-format-size-macros
Fix preprocessor guards for C99 format size specifiers
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
new file mode 100644
index 0000000..6bab02a
--- /dev/null
+++ b/ChangeLog.d/tls-hs-defrag-in.txt
@@ -0,0 +1,7 @@
+Bugfix
+ * Support re-assembly of fragmented handshake messages in TLS (both
+ 1.2 and 1.3). The lack of support was causing handshake failures with
+ some servers, especially with TLS 1.3 in practice. There are a few
+ limitations, notably a fragmented ClientHello is only supported when
+ TLS 1.3 support is enabled. See the documentation of
+ mbedtls_ssl_handshake() for details.
diff --git a/framework b/framework
index 523a12d..cab0c5f 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 523a12d05b91301b020e2aa560d9774135e3a801
+Subproject commit cab0c5fe19d5747cb9603552b80ebe64b9c67fdd
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 958ee9b..681584b 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1782,6 +1782,8 @@
size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length,
including the handshake header */
+ size_t MBEDTLS_PRIVATE(in_hsfraglen); /*!< accumulated length of hs fragments
+ (up to in_hslen) */
int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */
int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message
@@ -4302,6 +4304,10 @@
* with \c mbedtls_ssl_read()), not handshake messages.
* With DTLS, this affects both ApplicationData and handshake.
*
+ * \note Defragmentation of TLS handshake messages is supported
+ * with some limitations. See the documentation of
+ * mbedtls_ssl_handshake() for details.
+ *
* \note This sets the maximum length for a record's payload,
* excluding record overhead that will be added to it, see
* \c mbedtls_ssl_get_record_expansion().
@@ -4791,6 +4797,24 @@
* currently being processed might or might not contain further
* DTLS records.
*
+ * \note In TLS, reception of fragmented handshake messages is
+ * supported with some limitations (those limitations do
+ * not apply to DTLS, where defragmentation is fully
+ * supported):
+ * - On an Mbed TLS server that only accepts TLS 1.2,
+ * the initial ClientHello message must not be fragmented.
+ * A TLS 1.2 ClientHello may be fragmented if the server
+ * also accepts TLS 1.3 connections (meaning
+ * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the
+ * accepted versions have not been restricted with
+ * mbedtls_ssl_conf_max_tls_version() or the like).
+ * - The first fragment of a handshake message must be
+ * at least 4 bytes long.
+ * - Non-handshake records must not be interleaved between
+ * the fragments of a handshake message. (This is permitted
+ * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it
+ * even in TLS 1.2.)
+ *
* \note The PSA crypto subsystem must have been initialized by
* calling psa_crypto_init() before calling this function.
*/
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 9ff0fca..164a230 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1752,10 +1752,11 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform);
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 97c4866..f5ea8dd 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -2962,19 +2962,34 @@
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
- ssl->in_msglen));
- return MBEDTLS_ERR_SSL_INVALID_RECORD;
- }
+ if (ssl->in_hsfraglen == 0) {
+ /* The handshake message must at least include the header.
+ * We may not have the full message yet in case of fragmentation.
+ * To simplify the code, we insist on having the header (and in
+ * particular the handshake message length) in the first
+ * fragment. */
+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_msglen));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
- ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ }
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
+ if (ssl->transform_in != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
+ " iv-buf=%d hdr-buf=%d hdr-buf=%d",
+ (int) (ssl->in_iv - ssl->in_buf),
+ (int) (ssl->in_hdr - ssl->in_buf),
+ (int) (ssl->in_msg - ssl->in_buf)));
+ }
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -3034,10 +3049,105 @@
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
- /* With TLS we don't handle fragmentation (for now) */
- if (ssl->in_msglen < ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ {
+ unsigned char *const reassembled_record_start =
+ ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ unsigned char *const payload_start =
+ reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
+ unsigned char *payload_end = payload_start + ssl->in_hsfraglen;
+ /* How many more bytes we want to have a complete handshake message. */
+ const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen;
+ /* How many bytes of the current record are part of the first
+ * handshake message. There may be more handshake messages (possibly
+ * incomplete) in the same record; if so, we leave them after the
+ * current record, and ssl_consume_current_message() will take
+ * care of consuming the next handshake message. */
+ const size_t hs_this_fragment_len =
+ ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
+ (void) hs_this_fragment_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
+ ", %" MBEDTLS_PRINTF_SIZET
+ "..%" MBEDTLS_PRINTF_SIZET
+ " of %" MBEDTLS_PRINTF_SIZET,
+ (ssl->in_hsfraglen != 0 ?
+ "subsequent" :
+ hs_this_fragment_len == ssl->in_hslen ?
+ "sole" :
+ "initial"),
+ ssl->in_msglen,
+ ssl->in_hsfraglen,
+ ssl->in_hsfraglen + hs_this_fragment_len,
+ ssl->in_hslen));
+
+ /* Move the received handshake fragment to have the whole message
+ * (at least the part received so far) in a single segment at a
+ * known offset in the input buffer.
+ * - When receiving a non-initial handshake fragment, append it to
+ * the initial segment.
+ * - Even the initial handshake fragment is moved, if it was
+ * encrypted with an explicit IV: decryption leaves the payload
+ * after the explicit IV, but here we move it to start where the
+ * IV was.
+ */
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t const in_buf_len = ssl->in_buf_len;
+#else
+ size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+ if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Shouldn't happen: no room to move handshake fragment %"
+ MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
+ MBEDTLS_PRINTF_SIZET ")",
+ ssl->in_msglen,
+ (void *) ssl->in_msg, (void *) payload_end,
+ (void *) ssl->in_buf, in_buf_len));
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ memmove(payload_end, ssl->in_msg, ssl->in_msglen);
+
+ ssl->in_hsfraglen += ssl->in_msglen;
+ payload_end += ssl->in_msglen;
+
+ if (ssl->in_hsfraglen < ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %"
+ MBEDTLS_PRINTF_SIZET "/%"
+ MBEDTLS_PRINTF_SIZET,
+ ssl->in_hsfraglen, ssl->in_hslen));
+ ssl->in_hdr = payload_end;
+ ssl->in_msglen = 0;
+ mbedtls_ssl_update_in_pointers(ssl);
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ } else {
+ ssl->in_msglen = ssl->in_hsfraglen;
+ ssl->in_hsfraglen = 0;
+ ssl->in_hdr = reassembled_record_start;
+ mbedtls_ssl_update_in_pointers(ssl);
+
+ /* Update the record length in the fully reassembled record */
+ if (ssl->in_msglen > 0xffff) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Shouldn't happen: in_msglen=%"
+ MBEDTLS_PRINTF_SIZET " > 0xffff",
+ ssl->in_msglen));
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
+
+ size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
+ (void) record_len;
+ MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
+ ssl->in_hdr, record_len);
+ if (ssl->in_hslen < ssl->in_msglen) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("More handshake messages in the record: "
+ "%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_hslen,
+ ssl->in_msglen - ssl->in_hslen));
+ }
+ }
}
return 0;
@@ -4382,6 +4492,14 @@
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
+ if (ssl->in_hsfraglen != 0) {
+ /* Not all handshake fragments have arrived, do not consume. */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments %"
+ MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET,
+ ssl->in_hsfraglen, ssl->in_hslen));
+ return 0;
+ }
+
/*
* Get next Handshake message in the current record
*/
@@ -4407,6 +4525,7 @@
ssl->in_msglen -= ssl->in_hslen;
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
ssl->in_msglen);
+ MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
ssl->in_msg, ssl->in_msglen);
@@ -4770,6 +4889,18 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ /* If we're in the middle of a fragmented TLS handshake message,
+ * we don't accept any other message type. For TLS 1.3, the spec forbids
+ * interleaving other message types between handshake fragments. For TLS
+ * 1.2, the spec does not forbid it but we do. */
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
+ ssl->in_hsfraglen != 0 &&
+ ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
+ " of a fragmented handshake message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
/*
* Handle particular types of records
*/
@@ -5081,7 +5212,7 @@
} else
#endif
{
- ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->in_ctr = ssl->in_buf;
ssl->in_len = ssl->in_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl->in_cid = ssl->in_len;
@@ -5097,24 +5228,35 @@
* Setup an SSL context
*/
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->in_hdr = ssl->in_buf;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ }
+
+ /* Derive other internal pointers. */
+ mbedtls_ssl_update_in_pointers(ssl);
+}
+
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
{
/* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->out_hdr = ssl->out_buf;
- ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->out_ctr = ssl->out_buf;
- ssl->out_hdr = ssl->out_buf + 8;
- ssl->in_hdr = ssl->in_buf + 8;
+ ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
-
/* Derive other internal pointers. */
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
- mbedtls_ssl_update_in_pointers(ssl);
}
/*
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ec4272a..3572f3f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -339,12 +339,13 @@
size_t out_buf_new_len)
{
int modified = 0;
- size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
if (ssl->in_buf != NULL) {
written_in = ssl->in_msg - ssl->in_buf;
iv_offset_in = ssl->in_iv - ssl->in_buf;
len_offset_in = ssl->in_len - ssl->in_buf;
+ hdr_in = ssl->in_hdr - ssl->in_buf;
if (downsizing ?
ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
ssl->in_buf_len < in_buf_new_len) {
@@ -376,7 +377,10 @@
}
if (modified) {
/* Update pointers here to avoid doing it twice. */
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ ssl->in_hdr = ssl->in_buf + hdr_in;
+ mbedtls_ssl_update_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
+
/* Fields below might not be properly updated with record
* splitting or with CID, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
@@ -1274,7 +1278,8 @@
goto error;
}
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
#if defined(MBEDTLS_SSL_DTLS_SRTP)
memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
@@ -1339,7 +1344,8 @@
/* Cancel any possibly running timer */
mbedtls_ssl_set_timer(ssl, 0);
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
/* Reset incoming message parsing */
ssl->in_offt = NULL;
@@ -1347,6 +1353,7 @@
ssl->in_msgtype = 0;
ssl->in_msglen = 0;
ssl->in_hslen = 0;
+ ssl->in_hsfraglen = 0;
ssl->keep_current_message = 0;
ssl->transform_in = NULL;
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index fc9b860..a302af4 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1015,28 +1015,6 @@
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
- {
- size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
- (unsigned) handshake_len));
-
- /* The record layer has a record size limit of 2^14 - 1 and
- * fragmentation is not supported, so buf[1] should be zero. */
- if (buf[1] != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
- (unsigned) buf[1]));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* We don't support fragmentation of ClientHello (yet?) */
- if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
- (unsigned) msg_len,
- (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
- (unsigned) handshake_len));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- }
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index 6fc3d73..bc5cce5 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -243,8 +243,8 @@
* - free the provided PK context and re-initilize it as an opaque PK context
* wrapping the PSA key imported in the above step.
*
- * \param[in/out] pk On input the non-opaque PK context which contains the
- * key to be wrapped. On output the re-initialized PK
+ * \param[in,out] pk On input, the non-opaque PK context which contains the
+ * key to be wrapped. On output, the re-initialized PK
* context which represents the opaque version of the one
* provided as input.
* \param[in] psa_alg The primary algorithm that will be associated to the
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 4982f77..bef198f 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -32,4 +32,5 @@
python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1
python tf-psa-crypto\framework\scripts\generate_test_keys.py --output tf-psa-crypto\framework\tests\include\test\test_keys.h || exit /b 1
python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1
+python framework\scripts\generate_tls_handshake_tests.py || exit /b 1
python framework\scripts\generate_tls13_compat_tests.py || exit /b 1
diff --git a/tests/.gitignore b/tests/.gitignore
index 997101c..a4a0309 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -18,6 +18,7 @@
###START_GENERATED_FILES###
# Generated source files
+/opt-testcases/handshake-generated.sh
/opt-testcases/tls13-compat.sh
/suites/*.generated.data
/suites/test_suite_config.mbedtls_boolean.data
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 950c365..a56a707 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -57,6 +57,24 @@
# change too often in ways that don't affect the result
# ((un)commenting some options).
)
+
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ COMMAND
+ "${MBEDTLS_PYTHON_EXECUTABLE}"
+ "${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py"
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/tls_test_case.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py
+ )
+ add_custom_target(handshake-generated.sh
+ DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh)
+ set_target_properties(handshake-generated.sh PROPERTIES EXCLUDE_FROM_ALL NO)
+ add_dependencies(${ssl_opt_target} handshake-generated.sh)
+
add_custom_command(
OUTPUT
${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/tls13-compat.sh
diff --git a/tests/Makefile b/tests/Makefile
index 7bd9953..b6f2f8c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -64,6 +64,13 @@
# Generated files needed to (fully) run ssl-opt.sh
.PHONY: ssl-opt
+opt-testcases/handshake-generated.sh: ../framework/scripts/mbedtls_framework/tls_test_case.py
+opt-testcases/handshake-generated.sh: ../framework/scripts/generate_tls_handshake_tests.py
+ echo " Gen $@"
+ $(PYTHON) ../framework/scripts/generate_tls_handshake_tests.py -o $@
+GENERATED_FILES += opt-testcases/handshake-generated.sh
+ssl-opt: opt-testcases/handshake-generated.sh
+
opt-testcases/tls13-compat.sh: ../framework/scripts/generate_tls13_compat_tests.py
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_tls13_compat_tests.py -o $@
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 8cc341d..ba10024 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -179,6 +179,7 @@
check scripts/generate_query_config.pl programs/test/query_config.c
check scripts/generate_features.pl library/version_features.c
check framework/scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
+ check framework/scripts/generate_tls_handshake_tests.py tests/opt-testcases/handshake-generated.sh
check framework/scripts/generate_tls13_compat_tests.py tests/opt-testcases/tls13-compat.sh
check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h
# generate_visualc_files enumerates source files (library/*.c). It doesn't
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 75ab938..0736d0e 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13705,6 +13705,20 @@
-c "Handshake was completed" \
-s "dumping .client hello, compression. (2 bytes)"
+# Handshake defragmentation testing
+
+# Most test cases are in opt-testcases/handshake-generated.sh
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \
+ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \
+ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+ 1 \
+ -s "The SSL configuration is tls12 only" \
+ -s "bad client hello message" \
+ -s "SSL - A message could not be parsed due to a syntactic error"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG