From 7c3cdb62de1583ee53c4c3da8ad60bc2fa460f1e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 14 May 2019 11:02:36 +0100 Subject: [PATCH] Add specific SSL error code for unexpected CIDs Currently, the stack silently ignores DTLS frames with an unexpected CID. However, in a system which performs CID-based demultiplexing before passing datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not working properly, and users might want to know about it. This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID which the stack can return in response to an unexpected CID. It will conditionally be put to use in subsequent commits. --- include/mbedtls/error.h | 4 ++-- include/mbedtls/ssl.h | 1 + library/error.c | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index bee0fe485..765fd42f8 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -100,8 +100,8 @@ * ECP 4 10 (Started from top) * MD 5 5 * HKDF 5 1 (Started from top) - * CIPHER 6 8 - * SSL 6 23 (Started from top) + * CIPHER 6 8 (Started from 0x6080) + * SSL 6 24 (Started from top, plus 0x6000) * SSL 7 32 * * Module dependent error code (5 bits 0x.00.-0x.F8.) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b89cbdd64..869463e43 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -122,6 +122,7 @@ #define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */ #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */ #define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */ +#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */ #define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */ /* diff --git a/library/error.c b/library/error.c index 12312a056..0a9baebb2 100644 --- a/library/error.c +++ b/library/error.c @@ -523,6 +523,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" ); if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) ) mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" ); + if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) ) + mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" ); if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) ) mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" ); #endif /* MBEDTLS_SSL_TLS_C */