Added description of change to the Changelog

Also clarified some comments following review.
This commit is contained in:
Simon Butcher 2015-12-16 01:51:01 +00:00
parent 013198f30f
commit e103aa8a53
2 changed files with 17 additions and 7 deletions

View File

@ -1,5 +1,15 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.1.4 released 2015-12-xx
Changes
* To avoid dropping an entire DTLS datagram if a single record in a datagram
is invalid, we now only drop the record and look at subsequent records (if
any are present) in the same datagram to avoid interoperability issues.
Previously the library was dropping the entire datagram, Where a record is
unexpected, the function mbedtls_ssl_read_record() will now return
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
= mbed TLS 2.1.3 released 2015-11-04 = mbed TLS 2.1.3 released 2015-11-04
Security Security

View File

@ -3457,16 +3457,16 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
* uint16 length; * uint16 length;
* *
* Return 0 if header looks sane (and, for DTLS, the record is expected) * Return 0 if header looks sane (and, for DTLS, the record is expected)
* MBEDTLS_ERR_SSL_INVALID_RECORD is the header looks bad, * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
* MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
* *
* With DTLS, mbedtls_ssl_read_record() will: * With DTLS, mbedtls_ssl_read_record() will:
* 1. proceed with the record if we return 0 * 1. proceed with the record if this function returns 0
* 2. drop only the current record if we return UNEXPECTED_RECORD * 2. drop only the current record if this function returns UNEXPECTED_RECORD
* 3. return CLIENT_RECONNECT if we return that * 3. return CLIENT_RECONNECT if this function returns that value
* 4. drop the whole datagram if we return anything else. * 4. drop the whole datagram if this function returns anything else.
* Point 2 is needed when the peer is resending, and we already received the * Point 2 is needed when the peer is resending, and we have already received
* first record from a datagram but are still waiting for the others. * the first record from a datagram but are still waiting for the others.
*/ */
static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
{ {