dtls: Error out on invalid/unexpected record header

Error out on invalid/unexpected record header when reading the DTLS 1.2 ClientHello. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2026-04-04 19:46:06 +02:00 · 2026-03-20 17:19:10 +01:00
parent 315c970fbe
commit 676d74e4c7
1 changed files with 24 additions and 0 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4750,6 +4750,30 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl)
                ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
            }

+#if defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * When retrieving the DTLS ClientHello on server side, error out
+             * when detecting an invalid or unexpected record.
+             */
+            if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) &&
+                (ssl->state == MBEDTLS_SSL_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                && (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+                ) {
+                /*
+                 * For backward compatibility, return
+                 * MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE rather than
+                 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
+                 */
+                if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+                    return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+                } else {
+                    return ret;
+                }
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
            if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
                /* Reset in pointers to default state for TLS/DTLS records,