From 687e0fb568dd5f28592549d241ea54631c1e1d9f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 8 May 2019 13:02:55 +0100 Subject: [PATCH] Don't fail on record with unexpected CID This commit changes the stack's behaviour when facing a record with a non-matching CID. Previously, the stack failed in this case, while now we silently skip over the current record. --- library/ssl_tls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b6c73ea99..c2a84777d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2154,7 +2154,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl, if( rec->cid_len != transform->in_cid_len || memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) { - return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + /* Silently skip over record with mismatching CID. */ + return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); } #endif /* MBEDTLS_SSL_CID */ @@ -4673,6 +4674,9 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) &rec ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); + if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) + ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; + return( ret ); }