From 78c430269b51af4c2a70424198601438727b26d3 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 3 May 2019 14:38:32 +0100
Subject: [PATCH] Don't allow calling CID API outside of DTLS

---
 library/ssl_tls.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e80379e32..18a508d56 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -119,6 +119,9 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
                          unsigned char const *own_cid,
                          size_t own_cid_len )
 {
+    if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
     ssl->negotiate_cid = enable;
     if( enable == MBEDTLS_SSL_CID_DISABLED )
     {
@@ -153,8 +156,11 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
 {
     *enabled = MBEDTLS_SSL_CID_DISABLED;
 
-    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+        ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
 
     /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
      * were used, but client and server requested the empty CID.