From 686c8b13c50428896908cc1ad9190eb1b512a4de Mon Sep 17 00:00:00 2001 From: jsing Date: Wed, 21 Jul 2021 07:51:12 +0000 Subject: [PATCH] Silently discard invalid DTLS records. Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records, including those that have a bad MAC. When converting to the new record layer, we inadvertantly switched to standard TLS behaviour, where an invalid record is fatal. This restores the previous behaviour. Issue noted by inoguchi@ ok inoguchi@ --- lib/libssl/d1_pkt.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 2610206797d..4e773a42bb7 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.101 2021/07/19 08:42:24 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.102 2021/07/21 07:51:12 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -323,14 +323,22 @@ dtls1_process_record(SSL *s) if (alert_desc == 0) goto err; + /* + * DTLS should silently discard invalid records, including those + * with a bad MAC, as per RFC 6347 section 4.1.2.1. + */ + if (alert_desc == SSL_AD_BAD_RECORD_MAC) { + out_len = 0; + goto done; + } + if (alert_desc == SSL_AD_RECORD_OVERFLOW) SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - else if (alert_desc == SSL_AD_BAD_RECORD_MAC) - SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto fatal_err; } + done: rr->data = out; rr->length = out_len; rr->off = 0; @@ -345,7 +353,6 @@ dtls1_process_record(SSL *s) return (0); } - /* Call this to get a new input record. * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. -- 2.20.1