From 16ded98befc372285b14d5aa6009d7c713db4823 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 8 May 2019 13:02:55 +0100
Subject: [PATCH] Don't fail on record with unexpected CID

This commit changes the stack's behaviour when facing a record
with a non-matching CID. Previously, the stack failed in this
case, while now we silently skip over the current record.
---
 library/ssl_tls.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 074bf9cf9..57e05e836 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2576,7 +2576,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
     if( rec->cid_len != transform->in_cid_len ||
         memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
     {
-        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        /* Silently skip over record with mismatching CID. */
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
     }
 #endif /* MBEDTLS_SSL_CID */
 
@@ -5095,6 +5096,9 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
                                              &rec ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
+            if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+
             return( ret );
         }