From 4773333dc6c32963db11f077c9162fc5806a31b9 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 14:28:20 +0100
Subject: [PATCH 1/8] New generated file:
 tests/opt-testcases/handshake-generated.sh

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 framework                              |  2 +-
 scripts/make_generated_files.bat       |  1 +
 tests/.gitignore                       |  1 +
 tests/CMakeLists.txt                   | 18 ++++++++++++++++++
 tests/Makefile                         |  7 +++++++
 tests/scripts/check-generated-files.sh |  1 +
 6 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/framework b/framework
index 523a12d05b..11e4f5ac1c 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 523a12d05b91301b020e2aa560d9774135e3a801
+Subproject commit 11e4f5ac1c71fe7d803fa5193236560b2e176cea
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index 4982f77dba..bef198f361 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -32,4 +32,5 @@ python framework\scripts\generate_psa_tests.py --directory tf-psa-crypto\tests\s
 python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1
 python tf-psa-crypto\framework\scripts\generate_test_keys.py --output tf-psa-crypto\framework\tests\include\test\test_keys.h || exit /b 1
 python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1
+python framework\scripts\generate_tls_handshake_tests.py || exit /b 1
 python framework\scripts\generate_tls13_compat_tests.py || exit /b 1
diff --git a/tests/.gitignore b/tests/.gitignore
index 997101cc80..a4a0309fa8 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -18,6 +18,7 @@
 
 ###START_GENERATED_FILES###
 # Generated source files
+/opt-testcases/handshake-generated.sh
 /opt-testcases/tls13-compat.sh
 /suites/*.generated.data
 /suites/test_suite_config.mbedtls_boolean.data
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 950c365973..a56a707f41 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -57,6 +57,24 @@ if(GEN_FILES)
             # change too often in ways that don't affect the result
             # ((un)commenting some options).
     )
+
+    add_custom_command(
+        OUTPUT
+            ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh
+        WORKING_DIRECTORY
+            ${CMAKE_CURRENT_SOURCE_DIR}/..
+        COMMAND
+            "${MBEDTLS_PYTHON_EXECUTABLE}"
+            "${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py"
+        DEPENDS
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/tls_test_case.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py
+    )
+    add_custom_target(handshake-generated.sh
+        DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh)
+    set_target_properties(handshake-generated.sh PROPERTIES EXCLUDE_FROM_ALL NO)
+    add_dependencies(${ssl_opt_target} handshake-generated.sh)
+
     add_custom_command(
         OUTPUT
             ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/tls13-compat.sh
diff --git a/tests/Makefile b/tests/Makefile
index 7bd9953422..b6f2f8caff 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -64,6 +64,13 @@ GENERATED_FILES += ../framework/tests/include/test/test_keys.h \
 # Generated files needed to (fully) run ssl-opt.sh
 .PHONY: ssl-opt
 
+opt-testcases/handshake-generated.sh: ../framework/scripts/mbedtls_framework/tls_test_case.py
+opt-testcases/handshake-generated.sh: ../framework/scripts/generate_tls_handshake_tests.py
+	echo "  Gen   $@"
+	$(PYTHON) ../framework/scripts/generate_tls_handshake_tests.py -o $@
+GENERATED_FILES += opt-testcases/handshake-generated.sh
+ssl-opt: opt-testcases/handshake-generated.sh
+
 opt-testcases/tls13-compat.sh: ../framework/scripts/generate_tls13_compat_tests.py
 	echo "  Gen   $@"
 	$(PYTHON) ../framework/scripts/generate_tls13_compat_tests.py -o $@
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 8cc341d177..ba10024ee8 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -179,6 +179,7 @@ if in_mbedtls_repo; then
     check scripts/generate_query_config.pl programs/test/query_config.c
     check scripts/generate_features.pl library/version_features.c
     check framework/scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
+    check framework/scripts/generate_tls_handshake_tests.py tests/opt-testcases/handshake-generated.sh
     check framework/scripts/generate_tls13_compat_tests.py tests/opt-testcases/tls13-compat.sh
     check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h
     # generate_visualc_files enumerates source files (library/*.c). It doesn't

From b40d33b7c86c07849001f61d3aa0577d4b2ab016 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 14:26:51 +0100
Subject: [PATCH 2/8] Move most TLS handshake defragmentation tests to a
 separate file

Prepare for those test cases to be automatically generated by a script.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/opt-testcases/handshake-manual.sh | 519 +++++++++++++++++++++++
 tests/ssl-opt.sh                        | 520 +-----------------------
 2 files changed, 520 insertions(+), 519 deletions(-)
 create mode 100644 tests/opt-testcases/handshake-manual.sh

diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh
new file mode 100644
index 0000000000..8496c0d871
--- /dev/null
+++ b/tests/opt-testcases/handshake-manual.sh
@@ -0,0 +1,519 @@
+# To guarantee that the handhake messages are large enough and need to be split
+# into fragments, the tests require certificate authentication. The party in control
+# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client (no fragmentation, for reference)" \
+            "$O_NEXT_SRV" \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -C "reassembled record" \
+            -C "waiting for more fragments"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=512, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+            -c "waiting for more fragments (512 of [0-9]\\+"
+
+#The server uses an ECDSA cert, so make sure we have a compatible key exchange
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+            -c "waiting for more fragments (512 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=513, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+            -c "waiting for more fragments (513 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+            -c "waiting for more fragments (513 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=256, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+            -c "waiting for more fragments (256 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+            -c "waiting for more fragments (256 of [0-9]\\+"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=128, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+            -c "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+            -c "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=64, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+            -c "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+            -c "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=36, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+            -c "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+            -c "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=32, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+            -c "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+            -c "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=16, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+            -c "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+            -c "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+            -c "waiting for more fragments (13"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+            -c "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+            -c "waiting for more fragments (5"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+            -c "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+            -c "waiting for more fragments (4"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \
+            "$P_CLI debug_level=4 " \
+            0 \
+            -c "reassembled record" \
+            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+            -c "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \
+            "$P_CLI debug_level=4 " \
+            1 \
+            -c "=> ssl_tls13_process_server_hello" \
+            -c "handshake message too short: 3" \
+            -c "SSL - An invalid SSL record was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \
+            "$P_CLI debug_level=4 " \
+            1 \
+            -c "handshake message too short: 3" \
+            -c "SSL - An invalid SSL record was received"
+
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server (no fragmentation, for reference)." \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -S "reassembled record" \
+            -S "waiting for more fragments"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=512, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+            -s "waiting for more fragments (512"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=512, TLS 1.2" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
+            -s "waiting for more fragments (512"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=513, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+            -s "waiting for more fragments (513"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=513, TLS 1.2" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
+            -s "waiting for more fragments (513"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=256, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+            -s "waiting for more fragments (256"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=256, TLS 1.2" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
+            -s "waiting for more fragments (256"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=128, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+            -s "waiting for more fragments (128"
+
+# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing
+# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello.
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=128, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
+            -s "waiting for more fragments (128"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=64, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+            -s "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=64, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
+            -s "waiting for more fragments (64"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=36, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+            -s "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=36, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
+            -s "waiting for more fragments (36"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=32, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+            -s "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=32, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
+            -s "waiting for more fragments (32"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=16, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+            -s "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=16, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
+            -s "waiting for more fragments (16"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=13, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+            -s "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=13, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
+            -s "waiting for more fragments (13"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=5, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+            -s "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=5, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
+            -s "waiting for more fragments (5"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=4, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+            -s "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=4, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            0 \
+            -s "reassembled record" \
+            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
+            -s "waiting for more fragments (4"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            1 \
+            -s "<= parse client hello" \
+            -s "handshake message too short: 3" \
+            -s "SSL - An invalid SSL record was received"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_certificate_authentication
+run_test    "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \
+            "$P_SRV debug_level=4 auth_mode=required" \
+            "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
+            1 \
+            -s "<= parse client hello" \
+            -s "handshake message too short: 3" \
+            -s "SSL - An invalid SSL record was received"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5fc17a4cbd..40d15152c3 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13874,525 +13874,7 @@ run_test    "TLS 1.2 ClientHello indicating support for deflate compression meth
 
 # Handshake defragmentation testing
 
-# To guarantee that the handhake messages are large enough and need to be split
-# into fragments, the tests require certificate authentication. The party in control
-# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client (no fragmentation, for reference)" \
-            "$O_NEXT_SRV" \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -C "reassembled record" \
-            -C "waiting for more fragments"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=512, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of [0-9]\\+"
-
-#The server uses an ECDSA cert, so make sure we have a compatible key exchange
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of [0-9]\\+"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=513, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of [0-9]\\+"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of [0-9]\\+"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=256, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of [0-9]\\+"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of [0-9]\\+"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=128, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=64, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=36, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=32, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=16, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \
-            "$P_CLI debug_level=4 " \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \
-            "$P_CLI debug_level=4 " \
-            1 \
-            -c "=> ssl_tls13_process_server_hello" \
-            -c "handshake message too short: 3" \
-            -c "SSL - An invalid SSL record was received"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \
-            "$P_CLI debug_level=4 " \
-            1 \
-            -c "handshake message too short: 3" \
-            -c "SSL - An invalid SSL record was received"
-
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server (no fragmentation, for reference)." \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -S "reassembled record" \
-            -S "waiting for more fragments"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=512, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=512, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=513, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=513, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=256, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=256, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=128, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128"
-
-# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing
-# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello.
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=128, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=64, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=64, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=36, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=36, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=32, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=32, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=16, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=16, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=13, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=13, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=5, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=5, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=4, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=4, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            1 \
-            -s "<= parse client hello" \
-            -s "handshake message too short: 3" \
-            -s "SSL - An invalid SSL record was received"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            1 \
-            -s "<= parse client hello" \
-            -s "handshake message too short: 3" \
-            -s "SSL - An invalid SSL record was received"
+# Most test cases are in opt-testcases/handshake-generated.sh
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication

From aaab090ad87b5c504e5e4f349c8b235faf3aac34 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 13:53:18 +0100
Subject: [PATCH 3/8] Normalize whitespace in defragmentation test cases

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/opt-testcases/handshake-manual.sh | 98 ++++++++++++-------------
 1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh
index 8496c0d871..1b7b9799f3 100644
--- a/tests/opt-testcases/handshake-manual.sh
+++ b/tests/opt-testcases/handshake-manual.sh
@@ -4,7 +4,7 @@
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client (no fragmentation, for reference)" \
             "$O_NEXT_SRV" \
-            "$P_CLI debug_level=4 " \
+            "$P_CLI debug_level=4" \
             0 \
             -C "reassembled record" \
             -C "waiting for more fragments"
@@ -12,8 +12,8 @@ run_test    "Handshake defragmentation on client (no fragmentation, for referenc
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=512, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 512" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
@@ -24,8 +24,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 512" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
@@ -34,8 +34,8 @@ run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=513, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 513" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
@@ -45,8 +45,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 513" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
@@ -55,8 +55,8 @@ run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=256, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 256" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
@@ -66,8 +66,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 256" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
@@ -76,8 +76,8 @@ run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=128, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 128" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
@@ -87,8 +87,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 128" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
@@ -97,8 +97,8 @@ run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=64, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 64" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
@@ -108,8 +108,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 64" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
@@ -118,8 +118,8 @@ run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=36, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 36" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
@@ -129,8 +129,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 36" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
@@ -139,8 +139,8 @@ run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=32, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 32" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
@@ -150,8 +150,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 32" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
@@ -160,8 +160,8 @@ run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=16, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 16" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
@@ -171,8 +171,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 16" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
@@ -181,8 +181,8 @@ run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 13" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
@@ -192,8 +192,8 @@ skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
@@ -202,8 +202,8 @@ run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 5" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
@@ -213,8 +213,8 @@ skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
@@ -223,8 +223,8 @@ run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 4" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
@@ -234,8 +234,8 @@ skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \
+            "$P_CLI debug_level=4" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
@@ -244,8 +244,8 @@ run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \
+            "$P_CLI debug_level=4" \
             1 \
             -c "=> ssl_tls13_process_server_hello" \
             -c "handshake message too short: 3" \
@@ -253,8 +253,8 @@ run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \
-            "$P_CLI debug_level=4 " \
+            "$O_NEXT_SRV -tls1_2 -split_send_frag 3" \
+            "$P_CLI debug_level=4" \
             1 \
             -c "handshake message too short: 3" \
             -c "SSL - An invalid SSL record was received"

From 46cb8a2aa91b4f7ff146b6a6c940d9807ee2e313 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 14:12:02 +0100
Subject: [PATCH 4/8] Normalize messages in defragmentation test cases

Make some test case descriptions and log patterns follow more systematic
patterns.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/opt-testcases/handshake-manual.sh | 94 ++++++++++++-------------
 1 file changed, 47 insertions(+), 47 deletions(-)

diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh
index 1b7b9799f3..087cf66fce 100644
--- a/tests/opt-testcases/handshake-manual.sh
+++ b/tests/opt-testcases/handshake-manual.sh
@@ -2,7 +2,7 @@
 # into fragments, the tests require certificate authentication. The party in control
 # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
 requires_certificate_authentication
-run_test    "Handshake defragmentation on client (no fragmentation, for reference)" \
+run_test    "Handshake defragmentation on client: no fragmentation, for reference" \
             "$O_NEXT_SRV" \
             "$P_CLI debug_level=4" \
             0 \
@@ -17,7 +17,7 @@ run_test    "Handshake defragmentation on client: len=512, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of [0-9]\\+"
+            -c "waiting for more fragments (512 of"
 
 #The server uses an ECDSA cert, so make sure we have a compatible key exchange
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -29,7 +29,7 @@ run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of [0-9]\\+"
+            -c "waiting for more fragments (512 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -39,7 +39,7 @@ run_test    "Handshake defragmentation on client: len=513, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of [0-9]\\+"
+            -c "waiting for more fragments (513 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -50,7 +50,7 @@ run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of [0-9]\\+"
+            -c "waiting for more fragments (513 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -60,7 +60,7 @@ run_test    "Handshake defragmentation on client: len=256, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of [0-9]\\+"
+            -c "waiting for more fragments (256 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -71,7 +71,7 @@ run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of [0-9]\\+"
+            -c "waiting for more fragments (256 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -81,7 +81,7 @@ run_test    "Handshake defragmentation on client: len=128, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128"
+            -c "waiting for more fragments (128 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -92,7 +92,7 @@ run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128"
+            -c "waiting for more fragments (128 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -102,7 +102,7 @@ run_test    "Handshake defragmentation on client: len=64, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64"
+            -c "waiting for more fragments (64 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -113,7 +113,7 @@ run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64"
+            -c "waiting for more fragments (64 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -123,7 +123,7 @@ run_test    "Handshake defragmentation on client: len=36, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36"
+            -c "waiting for more fragments (36 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -134,7 +134,7 @@ run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36"
+            -c "waiting for more fragments (36 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -144,7 +144,7 @@ run_test    "Handshake defragmentation on client: len=32, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32"
+            -c "waiting for more fragments (32 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -155,7 +155,7 @@ run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32"
+            -c "waiting for more fragments (32 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -165,7 +165,7 @@ run_test    "Handshake defragmentation on client: len=16, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16"
+            -c "waiting for more fragments (16 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -176,7 +176,7 @@ run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16"
+            -c "waiting for more fragments (16 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -186,7 +186,7 @@ run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13"
+            -c "waiting for more fragments (13 of"
 
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -197,7 +197,7 @@ run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13"
+            -c "waiting for more fragments (13 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -207,7 +207,7 @@ run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5"
+            -c "waiting for more fragments (5 of"
 
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -218,7 +218,7 @@ run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5"
+            -c "waiting for more fragments (5 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -228,7 +228,7 @@ run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4"
+            -c "waiting for more fragments (4 of"
 
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -239,7 +239,7 @@ run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
             0 \
             -c "reassembled record" \
             -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4"
+            -c "waiting for more fragments (4 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -260,7 +260,7 @@ run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
             -c "SSL - An invalid SSL record was received"
 
 requires_certificate_authentication
-run_test    "Handshake defragmentation on server (no fragmentation, for reference)." \
+run_test    "Handshake defragmentation on server: no fragmentation, for reference" \
             "$P_SRV debug_level=4 auth_mode=required" \
             "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
             0 \
@@ -275,7 +275,7 @@ run_test    "Handshake defragmentation on server: len=512, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512"
+            -s "waiting for more fragments (512 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -285,7 +285,7 @@ run_test    "Handshake defragmentation on server: len=512, TLS 1.2" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512"
+            -s "waiting for more fragments (512 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -295,7 +295,7 @@ run_test    "Handshake defragmentation on server: len=513, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513"
+            -s "waiting for more fragments (513 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -305,7 +305,7 @@ run_test    "Handshake defragmentation on server: len=513, TLS 1.2" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513"
+            -s "waiting for more fragments (513 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -315,7 +315,7 @@ run_test    "Handshake defragmentation on server: len=256, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256"
+            -s "waiting for more fragments (256 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
@@ -325,7 +325,7 @@ run_test    "Handshake defragmentation on server: len=256, TLS 1.2" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256"
+            -s "waiting for more fragments (256 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -335,7 +335,7 @@ run_test    "Handshake defragmentation on server: len=128, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128"
+            -s "waiting for more fragments (128 of"
 
 # Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing
 # the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello.
@@ -348,7 +348,7 @@ run_test    "Handshake defragmentation on server: len=128, TLS 1.2  TLS 1.3 Clie
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128"
+            -s "waiting for more fragments (128 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -358,7 +358,7 @@ run_test    "Handshake defragmentation on server: len=64, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64"
+            -s "waiting for more fragments (64 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -369,7 +369,7 @@ run_test    "Handshake defragmentation on server: len=64, TLS 1.2  TLS 1.3 Clien
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64"
+            -s "waiting for more fragments (64 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -379,7 +379,7 @@ run_test    "Handshake defragmentation on server: len=36, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36"
+            -s "waiting for more fragments (36 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -390,7 +390,7 @@ run_test    "Handshake defragmentation on server: len=36, TLS 1.2  TLS 1.3 Clien
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36"
+            -s "waiting for more fragments (36 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -400,7 +400,7 @@ run_test    "Handshake defragmentation on server: len=32, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32"
+            -s "waiting for more fragments (32 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -411,7 +411,7 @@ run_test    "Handshake defragmentation on server: len=32, TLS 1.2  TLS 1.3 Clien
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32"
+            -s "waiting for more fragments (32 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -421,7 +421,7 @@ run_test    "Handshake defragmentation on server: len=16, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16"
+            -s "waiting for more fragments (16 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -432,7 +432,7 @@ run_test    "Handshake defragmentation on server: len=16, TLS 1.2  TLS 1.3 Clien
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16"
+            -s "waiting for more fragments (16 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -442,7 +442,7 @@ run_test    "Handshake defragmentation on server: len=13, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13"
+            -s "waiting for more fragments (13 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -453,7 +453,7 @@ run_test    "Handshake defragmentation on server: len=13, TLS 1.2  TLS 1.3 Clien
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13"
+            -s "waiting for more fragments (13 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -463,7 +463,7 @@ run_test    "Handshake defragmentation on server: len=5, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5"
+            -s "waiting for more fragments (5 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -474,7 +474,7 @@ run_test    "Handshake defragmentation on server: len=5, TLS 1.2  TLS 1.3 Client
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5"
+            -s "waiting for more fragments (5 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -484,7 +484,7 @@ run_test    "Handshake defragmentation on server: len=4, TLS 1.3" \
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4"
+            -s "waiting for more fragments (4 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -495,7 +495,7 @@ run_test    "Handshake defragmentation on server: len=4, TLS 1.2  TLS 1.3 Client
             0 \
             -s "reassembled record" \
             -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4"
+            -s "waiting for more fragments (4 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
@@ -510,7 +510,7 @@ run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \
+run_test    "Handshake defragmentation on server: len=3, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
             "$P_SRV debug_level=4 auth_mode=required" \
             "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
             1 \

From 5071a253209921c1bf334b3b961cde1299413a4f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 16:38:50 +0100
Subject: [PATCH 5/8] Normalize requirements in defragmentation test cases

Be more uniform in where certificate authentication and ECDSA are explicitly
required. A few test cases now run in PSK-only configurations where they
always could. Add a missing requirement on ECDSA to test cases that are
currently skipped.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/opt-testcases/handshake-manual.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh
index 087cf66fce..1e118e59c1 100644
--- a/tests/opt-testcases/handshake-manual.sh
+++ b/tests/opt-testcases/handshake-manual.sh
@@ -1,7 +1,6 @@
 # To guarantee that the handhake messages are large enough and need to be split
 # into fragments, the tests require certificate authentication. The party in control
 # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
-requires_certificate_authentication
 run_test    "Handshake defragmentation on client: no fragmentation, for reference" \
             "$O_NEXT_SRV" \
             "$P_CLI debug_level=4" \
@@ -191,6 +190,7 @@ run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
             "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \
             "$P_CLI debug_level=4" \
@@ -212,6 +212,7 @@ run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
             "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \
             "$P_CLI debug_level=4" \
@@ -233,6 +234,7 @@ run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
 skip_next_test
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_certificate_authentication
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
             "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \
             "$P_CLI debug_level=4" \
@@ -242,7 +244,6 @@ run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
             -c "waiting for more fragments (4 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
 run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
             "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \
             "$P_CLI debug_level=4" \
@@ -259,7 +260,6 @@ run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
             -c "handshake message too short: 3" \
             -c "SSL - An invalid SSL record was received"
 
-requires_certificate_authentication
 run_test    "Handshake defragmentation on server: no fragmentation, for reference" \
             "$P_SRV debug_level=4 auth_mode=required" \
             "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
@@ -498,7 +498,6 @@ run_test    "Handshake defragmentation on server: len=4, TLS 1.2  TLS 1.3 Client
             -s "waiting for more fragments (4 of"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
 run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
             "$P_SRV debug_level=4 auth_mode=required" \
             "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
@@ -509,7 +508,6 @@ run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
 run_test    "Handshake defragmentation on server: len=3, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
             "$P_SRV debug_level=4 auth_mode=required" \
             "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \

From f89bc276033d10b28429d8be04d1f6799fac3251 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sat, 1 Mar 2025 16:48:33 +0100
Subject: [PATCH 6/8] Switch to generated handshake tests

Replace `tests/opt-testcases/handshake-manual.sh` by
`tests/opt-testcases/handshake-generated.sh`. They are identical except for
comments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 framework                               |   2 +-
 tests/opt-testcases/handshake-manual.sh | 517 ------------------------
 2 files changed, 1 insertion(+), 518 deletions(-)
 delete mode 100644 tests/opt-testcases/handshake-manual.sh

diff --git a/framework b/framework
index 11e4f5ac1c..f88eb21ff1 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 11e4f5ac1c71fe7d803fa5193236560b2e176cea
+Subproject commit f88eb21ff11afe2c9ed553dcdba27166198f90d9
diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh
deleted file mode 100644
index 1e118e59c1..0000000000
--- a/tests/opt-testcases/handshake-manual.sh
+++ /dev/null
@@ -1,517 +0,0 @@
-# To guarantee that the handhake messages are large enough and need to be split
-# into fragments, the tests require certificate authentication. The party in control
-# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes).
-run_test    "Handshake defragmentation on client: no fragmentation, for reference" \
-            "$O_NEXT_SRV" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -C "reassembled record" \
-            -C "waiting for more fragments"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=512, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 512" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of"
-
-#The server uses an ECDSA cert, so make sure we have a compatible key exchange
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=512, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 512" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -c "waiting for more fragments (512 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=513, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 513" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=513, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 513" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -c "waiting for more fragments (513 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=256, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 256" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=256, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 256" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -c "waiting for more fragments (256 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=128, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 128" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=128, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 128" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -c "waiting for more fragments (128 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=64, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 64" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=64, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 64" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -c "waiting for more fragments (64 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=36, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 36" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=36, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 36" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -c "waiting for more fragments (36 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=32, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 32" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=32, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 32" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -c "waiting for more fragments (32 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=16, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 16" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=16, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 16" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -c "waiting for more fragments (16 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=13, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 13" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13 of"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=13, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -c "waiting for more fragments (13 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=5, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 5" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5 of"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=5, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -c "waiting for more fragments (5 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on client: len=4, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 4" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4 of"
-
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Handshake defragmentation on client: len=4, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \
-            "$P_CLI debug_level=4" \
-            0 \
-            -c "reassembled record" \
-            -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -c "waiting for more fragments (4 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test    "Handshake defragmentation on client: len=3, TLS 1.3" \
-            "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -c "=> ssl_tls13_process_server_hello" \
-            -c "handshake message too short: 3" \
-            -c "SSL - An invalid SSL record was received"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test    "Handshake defragmentation on client: len=3, TLS 1.2" \
-            "$O_NEXT_SRV -tls1_2 -split_send_frag 3" \
-            "$P_CLI debug_level=4" \
-            1 \
-            -c "handshake message too short: 3" \
-            -c "SSL - An invalid SSL record was received"
-
-run_test    "Handshake defragmentation on server: no fragmentation, for reference" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -S "reassembled record" \
-            -S "waiting for more fragments"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=512, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=512, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \
-            -s "waiting for more fragments (512 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=513, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=513, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \
-            -s "waiting for more fragments (513 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=256, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=256, TLS 1.2" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \
-            -s "waiting for more fragments (256 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=128, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128 of"
-
-# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing
-# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello.
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=128, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \
-            -s "waiting for more fragments (128 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=64, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=64, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \
-            -s "waiting for more fragments (64 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=36, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=36, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \
-            -s "waiting for more fragments (36 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=32, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=32, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \
-            -s "waiting for more fragments (32 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=16, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=16, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \
-            -s "waiting for more fragments (16 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=13, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=13, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \
-            -s "waiting for more fragments (13 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=5, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=5, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \
-            -s "waiting for more fragments (5 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=4, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_certificate_authentication
-run_test    "Handshake defragmentation on server: len=4, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            0 \
-            -s "reassembled record" \
-            -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \
-            -s "waiting for more fragments (4 of"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test    "Handshake defragmentation on server: len=3, TLS 1.3" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            1 \
-            -s "<= parse client hello" \
-            -s "handshake message too short: 3" \
-            -s "SSL - An invalid SSL record was received"
-
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-run_test    "Handshake defragmentation on server: len=3, TLS 1.2  TLS 1.3 ClientHello -> 1.2 Handshake" \
-            "$P_SRV debug_level=4 auth_mode=required" \
-            "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
-            1 \
-            -s "<= parse client hello" \
-            -s "handshake message too short: 3" \
-            -s "SSL - An invalid SSL record was received"

From e0bd20bd585a018b6497dac14934ea9a530a9d1f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Mon, 3 Mar 2025 14:10:08 +0100
Subject: [PATCH 7/8] Generate handshake defragmentation test cases: update
 analyze_outcomes

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/scripts/analyze_outcomes.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 7a5c506a95..3946017625 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -34,6 +34,13 @@ class CoverageTask(outcome_analysis.CoverageTask):
                           re.DOTALL)
 
     IGNORED_TESTS = {
+        'handshake-generated': [
+            # Temporary disable Handshake defragmentation tests until mbedtls
+            # pr #10011 has been merged.
+            'Handshake defragmentation on client: len=4, TLS 1.2',
+            'Handshake defragmentation on client: len=5, TLS 1.2',
+            'Handshake defragmentation on client: len=13, TLS 1.2'
+        ],
         'ssl-opt': [
             # We don't run ssl-opt.sh with Valgrind on the CI because
             # it's extremely slow. We don't intend to change this.
@@ -50,11 +57,6 @@ class CoverageTask(outcome_analysis.CoverageTask):
             # TLS doesn't use restartable ECDH yet.
             # https://github.com/Mbed-TLS/mbedtls/issues/7294
             re.compile(r'EC restart:.*no USE_PSA.*'),
-            # Temporary disable Handshake defragmentation tests until mbedtls
-            # pr #10011 has been merged.
-            'Handshake defragmentation on client: len=4, TLS 1.2',
-            'Handshake defragmentation on client: len=5, TLS 1.2',
-            'Handshake defragmentation on client: len=13, TLS 1.2'
         ],
         'test_suite_config.mbedtls_boolean': [
             # Missing coverage of test configurations.

From 2d23a9a4643ca88d9ca541f4a0af556785040878 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 4 Mar 2025 18:51:27 +0100
Subject: [PATCH 8/8] Update framework

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 framework | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework b/framework
index f88eb21ff1..4a009d4b3c 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit f88eb21ff11afe2c9ed553dcdba27166198f90d9
+Subproject commit 4a009d4b3cf6c55a558d90c92c1aa2d1ea2bb99b