From 9be94ba6aeca1f7430a1498b69472b098b4e9ecb Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 24 Mar 2026 15:42:42 +0100
Subject: [PATCH] Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_tls12_server.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index d9addc7424..f5d0d79632 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -923,6 +923,7 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
     if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record ", ret);
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
         /*
          * In the case of an alert message corresponding to the termination of
          * a previous connection, `ssl_parse_record_header()` and then
@@ -943,9 +944,16 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
          * used to detect a specific error condition, so this mapping
          * should not remove any meaningful distinction.
          */
-        if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
-            ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+        if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+            ) {
+            if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+            }
         }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
         return ret;
     }