commit 37cfe73c92ab330c2bbee208567c81a302627ca7
author Hanno Becker <hanno.becker@arm.com> Wed Jul 10 17:20:01 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Wed Aug 14 14:45:20 2019 +0100
tree 5884077c3f6c5ae4d1e355d862c8891c5a57bed8
parent 955a5c98df8d9067afda00eded8003a012ee295e

Minor documentation improvements in ssl_parse_record_header()

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 135caa0..69abb6a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4994,12 +4994,17 @@
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram too small to contain record." ) );
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
         }
+
+        /* Records from the next epoch are considered for buffering
+         * (concretely: early Finished messages). */
         if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
         {
-            /* Consider buffering the record. */
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
             return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
         }
+        /* Records from other, non-matching epochs are silently discarded.
+         * (The case of same-port Client reconnects must be considered in
+         *  the caller). */
         else if( rec_epoch != ssl->in_epoch )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
@@ -5008,7 +5013,8 @@
             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
         }
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-        /* Replay detection only works for the current epoch */
+        /* For records from the correct epoch, check whether their
+         * sequence number has been seen before. */
         else if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );