From 140ebea442ce2436f2f8ce59b554df6a70baad2f Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 24 Mar 2026 00:48:28 +0100
Subject: [PATCH] dtls: parse_client_hello: Adapt mbedtls_ssl_read_record()
 error code

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_tls12_server.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 94e61a8aca..5dbdd3854c 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -879,6 +879,31 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
      */
     if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record ", ret);
+
+        /*
+         * In the case of an alert message corresponding to the termination of
+         * a previous connection, `ssl_parse_record_header()` and then
+         * `mbedtls_ssl_read_record()` may return
+         * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD because of a non zero epoch.
+         *
+         * Historically, the library has returned
+         * MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE in this situation.
+         * The sample program dtls_server.c relies on this behavior
+         * (see
+         * https://github.com/Mbed-TLS/mbedtls/blob/d5e35a376bee23fad0b17f2e3e94a32ce4017c64/programs/ssl/dtls_server.c#L295),
+         * and user applications may rely on it as well.
+         *
+         * For compatibility, map MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
+         * to MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE here.
+         *
+         * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD does not appear to be
+         * used to detect a specific error condition, so this mapping
+         * should not remove any meaningful distinction.
+         */
+        if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+            ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+        }
+
         return ret;
     }