From 1330606ca1ea4d9296fc97ed320735075293e2f6 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 24 Mar 2026 16:49:34 +0100
Subject: [PATCH] dtls: Fix adaptation to first ClientHello

For each received ClientHello fragment, check
that its epoch is zero and update the
record-level sequence number.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_msg.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 0799a0067e..87d64788bd 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -2991,16 +2991,17 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
                     ssl_buffering_shift_slots(ssl, recv_msg_seq);
                     ssl->handshake->in_msg_seq = recv_msg_seq;
                     ssl->handshake->out_msg_seq = recv_msg_seq;
-
-                    /* Epoch should be 0 for initial handshakes */
-                    if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
-                        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
-                        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
-                    }
-
-                    memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
-                           sizeof(ssl->cur_out_ctr) - 2);
                 }
+
+                /* Epoch should be 0 for initial handshakes */
+                if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
+                    MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+                    return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+                }
+
+                memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
+                       sizeof(ssl->cur_out_ctr) - 2);
+
             } else if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
                 /* In case of a post-handshake ClientHello that initiates a
                  * renegotiation check that the handshake message sequence