ssl_tls12_server.c: Move ClientHello message_seq adjustment

Move ClientHello message_seq adjustment to the record layer. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2026-05-09 03:04:24 +02:00 · 2026-01-08 09:15:40 +01:00
parent 06abef2307
commit 5a744e8d34
2 changed files with 21 additions and 28 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3261,6 +3261,27 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
            return MBEDTLS_ERR_SSL_INVALID_RECORD;
        }

+        /*
+         * When establishing the connection, the client may go through a series
+         * of ClientHello and HelloVerifyRequest requests and responses. The
+         * server does not keep any trace of these initial round trips as
+         * intended: minimum allocated ressources as long as the reachability
+         * of the client has not been confirmed. When receiving the "first
+         * ClientHello" from server perspective, we may thus need to adapt
+         * the next expected `message_seq` for the incoming and outgoing
+         * handshake messages.
+         */
+        if (ssl->in_msg[0] == MBEDTLS_SSL_HS_CLIENT_HELLO &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->state == MBEDTLS_SSL_CLIENT_HELLO
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+            ) {
+            ssl->handshake->in_msg_seq = recv_msg_seq;
+            ssl->handshake->out_msg_seq = recv_msg_seq;
+        }
+
        if (ssl->handshake != NULL &&
            ((mbedtls_ssl_is_handshake_over(ssl) == 0 &&
              recv_msg_seq != ssl->handshake->in_msg_seq) ||
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -993,34 +993,6 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
    }

-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        /*
-         * Copy the client's handshake message_seq on initial handshakes,
-         * check sequence number on renego.
-         */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-        if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
-            /* This couldn't be done in ssl_prepare_handshake_record() */
-            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
-            if (cli_msg_seq != ssl->handshake->in_msg_seq) {
-                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
-                                          "%u (expected %u)", cli_msg_seq,
-                                          ssl->handshake->in_msg_seq));
-                return MBEDTLS_ERR_SSL_DECODE_ERROR;
-            }
-
-            ssl->handshake->in_msg_seq++;
-        } else
-#endif
-        {
-            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
-            ssl->handshake->out_msg_seq = cli_msg_seq;
-            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
-        }
-    }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
    buf += mbedtls_ssl_hs_hdr_len(ssl);
    msg_len -= mbedtls_ssl_hs_hdr_len(ssl);