From 1141cd0fb634c754a4ad9a3572621b0656511247 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Mar 2026 15:47:55 +0100 Subject: [PATCH] Improve comments Signed-off-by: Ronald Cron --- library/ssl_msg.c | 20 +++++++++++++++----- tests/ssl-opt.sh | 4 ++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c0c2825c4..0799a0067 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4739,8 +4739,18 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_SRV_C) /* - * When retrieving the DTLS ClientHello on server side, error out - * when detecting an invalid or unexpected record. + * In DTLS, invalid records are usually ignored because it is easy + * for an attacker to inject UDP datagrams, and we do not want such + * packets to disrupt the entire connection. + * + * However, when expecting the ClientHello, we reject invalid or + * unexpected records. This avoids waiting for further records + * before receiving at least one valid message. Such records could + * be leftover messages from a previous connection, accidental + * input, or part of a DoS attempt. + * + * Since no valid message has been received yet, immediately + * closing the connection does not result in any loss. */ if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) && (ssl->state == MBEDTLS_SSL_CLIENT_HELLO) @@ -6164,9 +6174,9 @@ static void ssl_buffering_shift_slots(mbedtls_ssl_context *ssl, hs->buffering.hs[offset] = hs->buffering.hs[offset + shift]; } - /* Reset the remaining entries at the end. It may have been already - * done for the first ones by the loop freing the discarded entries but - * that is simpler and safer. + /* Reset the remaining entries at the end. Some may already have been + * cleared by the loop freeing the discarded entries, but resetting all + * of them is simpler and avoids tracking which ones were already handled. */ for (; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) { memset(&hs->buffering.hs[offset], 0, sizeof(hs->buffering.hs[offset])); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index aa339a9ea..2b0341ebe 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12171,6 +12171,7 @@ run_test "DTLS proxy: 3d, openssl client" \ # The following test fails intermittently on the CI with a frequency that # significantly impacts CI throughput. Disable it for the time being. +# See https://github.com/Mbed-TLS/mbedtls/issues/10652 for more information. skip_next_test requires_openssl_next client_needs_more_time 8 @@ -12187,6 +12188,7 @@ run_test "DTLS proxy: 3d, openssl client, fragmentation" \ # The following test fails intermittently on the CI with a frequency that # significantly impacts CI throughput. Disable it for the time being. +# See https://github.com/Mbed-TLS/mbedtls/issues/10652 for more information. skip_next_test requires_openssl_next client_needs_more_time 8 @@ -12259,6 +12261,7 @@ run_test "DTLS proxy: 3d, gnutls client" \ # The following test fails intermittently on the CI with a frequency that # significantly impacts CI throughput. Disable it for the time being. +# See https://github.com/Mbed-TLS/mbedtls/issues/10652 for more information. skip_next_test requires_gnutls client_needs_more_time 8 @@ -12274,6 +12277,7 @@ run_test "DTLS proxy: 3d, gnutls client, fragmentation" \ # The following test fails intermittently on the CI with a frequency that # significantly impacts CI throughput. Disable it for the time being. +# See https://github.com/Mbed-TLS/mbedtls/issues/10652 for more information. skip_next_test requires_gnutls client_needs_more_time 8