Don't fail on record with unexpected CID

This commit changes the stack's behaviour when facing a record
with a non-matching CID. Previously, the stack failed in this
case, while now we silently skip over the current record.
This commit is contained in:
Hanno Becker 2019-05-08 13:02:55 +01:00
parent 938489a1bc
commit 16ded98bef

View file

@ -2576,7 +2576,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
if( rec->cid_len != transform->in_cid_len || if( rec->cid_len != transform->in_cid_len ||
memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
{ {
return( MBEDTLS_ERR_SSL_INVALID_RECORD ); /* Silently skip over record with mismatching CID. */
return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -5095,6 +5096,9 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
&rec ) ) != 0 ) &rec ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
return( ret ); return( ret );
} }