Treat an invalid record after decryption as fatal

If a record exhibits an invalid feature only after successful
authenticated decryption, this is a protocol violation by the
peer and should hence lead to connection failure. The previous
code, however, would silently ignore such records. This commit
fixes this.

So far, the only case to which this applies is the non-acceptance
of empty non-AD records in TLS 1.2. With the present commit, such
records lead to connection failure, while previously, they were
silently ignored.

With the introduction of the Connection ID extension (or TLS 1.3),
this will also apply to records whose real content type -- which
is only revealed during authenticated decryption -- is invalid.
This commit is contained in:
Hanno Becker 2019-05-03 16:36:59 +01:00
parent 6e7700df17
commit 82e2a3961c

View file

@ -5894,8 +5894,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{ {
/* Silently discard invalid records */ /* Silently discard invalid records */
if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
ret == MBEDTLS_ERR_SSL_INVALID_MAC )
{ {
/* Except when waiting for Finished as a bad mac here /* Except when waiting for Finished as a bad mac here
* probably means something went wrong in the handshake * probably means something went wrong in the handshake