From f2f44a9c9f7c3c3d66324029d1131f5bc1d5910e Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 24 Mar 2026 15:42:42 +0100
Subject: [PATCH] Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_tls12_server.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 5dbdd3854c..26ba8590ac 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -880,6 +880,7 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
     if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record ", ret);
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
         /*
          * In the case of an alert message corresponding to the termination of
          * a previous connection, `ssl_parse_record_header()` and then
@@ -900,9 +901,16 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
          * used to detect a specific error condition, so this mapping
          * should not remove any meaningful distinction.
          */
-        if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
-            ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+        if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+            ) {
+            if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+            }
         }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
         return ret;
     }