From 79b1c4fd5d0d72bf2e38130064b797ecc99c1cbe Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 21 Jul 2021 07:51:12 +0000
Subject: Silently discard invalid DTLS records.

Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records,
including those that have a bad MAC. When converting to the new record
layer, we inadvertantly switched to standard TLS behaviour, where an
invalid record is fatal. This restores the previous behaviour.

Issue noted by inoguchi@

ok inoguchi@
---
 src/lib/libssl/d1_pkt.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 2610206797..4e773a42bb 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.101 2021/07/19 08:42:24 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.102 2021/07/21 07:51:12 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -323,14 +323,22 @@ dtls1_process_record(SSL *s)
 		if (alert_desc == 0)
 			goto err;
 
+		/*
+		 * DTLS should silently discard invalid records, including those
+		 * with a bad MAC, as per RFC 6347 section 4.1.2.1.
+		 */
+		if (alert_desc == SSL_AD_BAD_RECORD_MAC) {
+			out_len = 0;
+			goto done;
+		}
+
 		if (alert_desc == SSL_AD_RECORD_OVERFLOW)
 			SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-		else if (alert_desc == SSL_AD_BAD_RECORD_MAC)
-			SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 
 		goto fatal_err;
 	}
 
+ done:
 	rr->data = out;
 	rr->length = out_len;
 	rr->off = 0;
@@ -345,7 +353,6 @@ dtls1_process_record(SSL *s)
 	return (0);
 }
 
-
 /* Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
-- 
cgit v1.2.3-55-g6feb