commit c37c96a3c513c75bb7f599668088c5c164e88483
author Hanno Becker <hanno.becker@arm.com> Tue May 14 11:02:36 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon Jun 03 16:07:50 2019 +0100
tree e41c4b802c4cffe072307428831f35a09d643b7a
parent b9ec44fcf6cb07f293b6ec967587c33b455831eb

Add specific SSL error code for unexpected CIDs

Currently, the stack silently ignores DTLS frames with an unexpected CID.
However, in a system which performs CID-based demultiplexing before passing
datagrams to the Mbed TLS stack, unexpected CIDs are a sign of something not
working properly, and users might want to know about it.

This commit introduces an SSL error code MBEDTLS_ERR_SSL_UNEXPECTED_CID
which the stack can return in response to an unexpected CID. It will
conditionally be put to use in subsequent commits.

include/mbedtls/error.h

diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index bee0fe4..765fd42 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -100,8 +100,8 @@
  * ECP       4   10 (Started from top)
  * MD        5   5
  * HKDF      5   1 (Started from top)
- * CIPHER    6   8
- * SSL       6   23 (Started from top)
+ * CIPHER    6   8 (Started from 0x6080)
+ * SSL       6   24 (Started from top, plus 0x6000)
  * SSL       7   32
  *
  * Module dependent error code (5 bits 0x.00.-0x.F8.)

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 909258c..b616a73 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -126,6 +126,7 @@
 #define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
 #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
 #define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_CID                    -0x6000  /**< An encrypted DTLS-frame with an unexpected CID was received. */
 #define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
 
 /*

library/error.c

diff --git a/library/error.c b/library/error.c
index 608423b..e401a84 100644
--- a/library/error.c
+++ b/library/error.c
@@ -523,6 +523,8 @@
             mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
         if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
             mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) )
+            mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
         if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
             mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
 #endif /* MBEDTLS_SSL_TLS_C */