Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index bd2c270..ba586a0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3458,7 +3458,6 @@
*/
static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
{
- int ret;
int major_ver, minor_ver;
MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
@@ -3480,12 +3479,13 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
- if( ( ret = mbedtls_ssl_send_alert_message( ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
- {
- return( ret );
- }
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ /* Silently ignore invalid DTLS records as recommended by RFC 6347
+ * Section 4.1.2.7 */
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}