Allow fragments less HS msg header size (4 bytes)

rojer · waleed-elmelegy-arm · commit 6c28ca6da255 · 2025-01-27T11:31:13.000Z
Except the first

Signed-off-by: Deomid rojer Ryabkov &lt;rojer@rojer.me&gt;
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
@@ -3219,7 +3219,8 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
 
 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
 {
-    if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+    /* First handshake fragment must at least include the header. */
+    if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
                                   ssl->in_msglen));
         return MBEDTLS_ERR_SSL_INVALID_RECORD;

Original file line number	Diff line number	Diff line change
`@@ -3219,7 +3219,8 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)`
`3219`	`3219`
`3220`	`3220`	`int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)`
`3221`	`3221`	`{`
`3222`		`- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {`
	`3222`	`+ /* First handshake fragment must at least include the header. */`
	`3223`	`+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {`
`3223`	`3224`	`MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,`
`3224`	`3225`	`ssl->in_msglen));`
`3225`	`3226`	`return MBEDTLS_ERR_SSL_INVALID_RECORD;`