DTLS: avoid dropping too many records

When the peer retransmits a flight with many record in the same datagram, and we already saw one of the records in that datagram, we used to drop the whole datagram, resulting in interoperability failure (spurious handshake timeouts, due to ignoring record retransmitted by the peer) with some implementations (issues with Chrome were reported). So in those cases, we want to only drop the current record, and look at the following records (if any) in the same datagram. OTOH, this is not something we always want to do, as sometime the header of the current record is not reliable enough. This commit introduces a new return code for ssl_parse_header() that allows to distinguish if we should drop only the current record or the whole datagram, and uses it in mbedtls_ssl_read_record() fixes #345
2015-12-03 16:13:17 +01:00 · 2015-12-03 16:13:17 +01:00 · e2e25e7427
commit e2e25e7427
parent 1630888aa0
4 changed files with 111 additions and 82 deletions
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@ -79,7 +79,7 @@
 * ECP       4   8 (Started from top)
 * MD        5   4
 * CIPHER    6   6
- * SSL       6   16 (Started from top)
+ * SSL       6   17 (Started from top)
 * SSL       7   31
 *
 * Module dependent error code (5 bits 0x.00.-0x.F8.)
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -106,6 +106,7 @@
 #define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
 #define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
 #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */

 /*
 * Various constants