commit c1c173cadffccac5766bd69b8e2c557a988b5670
author Hanno Becker <hanno.becker@arm.com> Fri Jul 19 10:59:12 2019 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Aug 01 09:51:53 2019 +0200
tree ac3d033f90dea675713c477d36958849c8a8be6c
parent 5579c5399b8414a9a7a6521b51b4f03676524f3a

Make sure 'record from another epoch' is displayed for next epoch

The test 'DTLS proxy: delay ChangeCipherSpec' from ssl-opt.sh
relies on this.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3502f05..876941f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4978,21 +4978,23 @@
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
         }
 
-        /* Records from the next epoch are considered for buffering
-         * (concretely: early Finished messages). */
-        if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
-            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
-        }
         /* Records from other, non-matching epochs are silently discarded.
          * (The case of same-port Client reconnects must be considered in
          *  the caller). */
-        else if( rec_epoch != ssl->in_epoch )
+        if( rec_epoch != ssl->in_epoch )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
                                         "expected %d, received %d",
                                         ssl->in_epoch, rec_epoch ) );
+
+            /* Records from the next epoch are considered for buffering
+             * (concretely: early Finished messages). */
+            if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
+                return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+            }
+
             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
         }
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)