diff --git a/ChangeLog b/ChangeLog index 8a736f971..bb50581f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,15 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.2.1 released 2015-12-xx + +Changes + * To avoid dropping an entire DTLS datagram if a single record in a datagram + is invalid, we now only drop the record and look at subsequent records (if + any are presemt) in the same datagram to avoid interoperability issues. + Previously the library was dropping the entire datagram. Where a record is + unexpected, the function mbedtls_ssl_read_record() will now return + MBEDTLS_ERR_SSL_UNEXPECTED_RECORD. + = mbed TLS 2.2.0 released 2015-11-04 Security diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 186eb4b39..aa473e9d5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3467,16 +3467,16 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) * uint16 length; * * Return 0 if header looks sane (and, for DTLS, the record is expected) - * MBEDTLS_ERR_SSL_INVALID_RECORD is the header looks bad, + * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. * * With DTLS, mbedtls_ssl_read_record() will: - * 1. proceed with the record if we return 0 - * 2. drop only the current record if we return UNEXPECTED_RECORD - * 3. return CLIENT_RECONNECT if we return that - * 4. drop the whole datagram if we return anything else. - * Point 2 is needed when the peer is resending, and we already received the - * first record from a datagram but are still waiting for the others. + * 1. proceed with the record if this function returns 0 + * 2. drop only the current record if this function returns UNEXPECTED_RECORD + * 3. return CLIENT_RECONNECT if this function return that value + * 4. drop the whole datagram if this function returns anything else. + * Point 2 is needed when the peer is resending, and we have already received + * the first record from a datagram but are still waiting for the others. */ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) {