From aaa152ed91d445e233e71c8d7c3f2aa5b3b72a1a Mon Sep 17 00:00:00 2001
From: Deomid rojer Ryabkov <rojer@rojer.me>
Date: Sun, 26 Jan 2025 11:10:54 +0200
Subject: [PATCH] Allow fragments less HS msg header size (4 bytes)

Except the first

Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
---
 library/ssl_msg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index d0b755d9d3..36a8611109 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3219,7 +3219,8 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
 
 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
 {
-    if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+    /* First handshake fragment must at least include the header. */
+    if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
                                   ssl->in_msglen));
         return MBEDTLS_ERR_SSL_INVALID_RECORD;