From 5a744e8d34c232e4b22a22f305372ded8fc1fb11 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Thu, 8 Jan 2026 09:15:40 +0100
Subject: [PATCH] ssl_tls12_server.c: Move ClientHello message_seq adjustment

Move ClientHello message_seq adjustment to the record layer.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_msg.c          | 21 +++++++++++++++++++++
 library/ssl_tls12_server.c | 28 ----------------------------
 2 files changed, 21 insertions(+), 28 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index b353345a35..6f2ac8826a 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3261,6 +3261,27 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
             return MBEDTLS_ERR_SSL_INVALID_RECORD;
         }
 
+        /*
+         * When establishing the connection, the client may go through a series
+         * of ClientHello and HelloVerifyRequest requests and responses. The
+         * server does not keep any trace of these initial round trips as
+         * intended: minimum allocated ressources as long as the reachability
+         * of the client has not been confirmed. When receiving the "first
+         * ClientHello" from server perspective, we may thus need to adapt
+         * the next expected `message_seq` for the incoming and outgoing
+         * handshake messages.
+         */
+        if (ssl->in_msg[0] == MBEDTLS_SSL_HS_CLIENT_HELLO &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->state == MBEDTLS_SSL_CLIENT_HELLO
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+            ) {
+            ssl->handshake->in_msg_seq = recv_msg_seq;
+            ssl->handshake->out_msg_seq = recv_msg_seq;
+        }
+
         if (ssl->handshake != NULL &&
             ((mbedtls_ssl_is_handshake_over(ssl) == 0 &&
               recv_msg_seq != ssl->handshake->in_msg_seq) ||
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index d34d810f10..c5db5536b9 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -993,34 +993,6 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
     }
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        /*
-         * Copy the client's handshake message_seq on initial handshakes,
-         * check sequence number on renego.
-         */
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-        if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
-            /* This couldn't be done in ssl_prepare_handshake_record() */
-            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
-            if (cli_msg_seq != ssl->handshake->in_msg_seq) {
-                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
-                                          "%u (expected %u)", cli_msg_seq,
-                                          ssl->handshake->in_msg_seq));
-                return MBEDTLS_ERR_SSL_DECODE_ERROR;
-            }
-
-            ssl->handshake->in_msg_seq++;
-        } else
-#endif
-        {
-            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
-            ssl->handshake->out_msg_seq = cli_msg_seq;
-            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
-        }
-    }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
     buf += mbedtls_ssl_hs_hdr_len(ssl);
     msg_len -= mbedtls_ssl_hs_hdr_len(ssl);