commit ea0aa655f6dde0007e0b6bd8ec49debed203aa79
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Nov 14 08:38:52 2017 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Nov 14 08:38:52 2017 +0100
tree 6e20dcc6a1cd78af2076ea76c0990e3ded544197
parent 41a38dfed6cef8867b448ca5e01a3a7da16475df
parent fe7fd6e8dc3c4d9a3a8e56105cb0ee769658f061

Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted

* mbedtls-2.1:
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Fix changelog for ssl_server2.c usage fix
  Fix ssl_server2 sample application prompt
  Update ChangeLog for fix to #836
  Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
  Enhance documentation of mbedtls_ssl_set_hostname
  Add test case calling ssl_set_hostname twice
  Make mbedtls_ssl_set_hostname safe to be called multiple times
  Fix typo in configs/README.txt file

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index da29d70..1b01eb6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+
 = mbed TLS 2.1.10 branch released 2017-xx-xx
 
 Bugfix
+   * Fix ssl_parse_record_header() to silently discard invalid DTLS records
+     as recommended in RFC 6347 Section 4.1.2.7.
    * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
      Found by projectgus and jethrogb, #836.
    * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 23689d9..8088e88 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3458,7 +3458,6 @@
  */
 static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 {
-    int ret;
     int major_ver, minor_ver;
 
     MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
@@ -3480,12 +3479,13 @@
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
 
-        if( ( ret = mbedtls_ssl_send_alert_message( ssl,
-                        MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
-        {
-            return( ret );
-        }
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* Silently ignore invalid DTLS records as recommended by RFC 6347
+         * Section 4.1.2.7 */
+        if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
 
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
     }