From 938489a1bce58a8cc3fab6d238c9eb1781e78089 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 8 May 2019 13:02:22 +0100
Subject: [PATCH] Re-enable CID comparison when decrypting CID-based records

---
 library/ssl_tls.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 968ce13fa..074bf9cf9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2573,17 +2573,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
      * Match record's CID with incoming CID.
      */
 
-    /* Uncomment this once CID parsing is in place */
-    /* if( rec->cid_len != transform->in_cid_len || */
-    /*     memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) */
-    /* { */
-    /*     return( MBEDTLS_ERR_SSL_INVALID_RECORD ); */
-    /* } */
-
-    /* Remove this once CID parsing is in place */
-    rec->cid_len = transform->in_cid_len;
-    memcpy( rec->cid, transform->in_cid, transform->in_cid_len );
-    MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
+    if( rec->cid_len != transform->in_cid_len ||
+        memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
 #endif /* MBEDTLS_SSL_CID */
 
 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)