commit 40865c8e5d065c02d1e73c3c60d99e68eee0a0b0
author Paul Bakker <p.j.bakker@polarssl.org> Thu Jan 31 17:13:13 2013 +0100
committer Paul Bakker <p.j.bakker@polarssl.org> Sat Feb 02 19:04:13 2013 +0100
tree 2ef137d0d7017b35c005141bf8b063523a416d43
parent d66f070d492ef75405baad9f0d018b1bd06862c8

Added sending of alert messages in case of decryption failures as per RFC

The flag POLARSSL_SSL_ALERT_MESSAGES switched between enabling and
disabling the sending of alert messages that give adversaries intel
about the result of their action. PolarSSL can still communicate with
other parties if they are disabled, but debugging of issues might be
harder.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0fae076..4194ac0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1975,6 +1975,14 @@
     {
         if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
         {
+#if defined(POLARSSL_SSL_ALERT_MESSAGES)
+            if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
+            {
+                ssl_send_alert_message( ssl,
+                                        SSL_ALERT_LEVEL_FATAL,
+                                        SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
             SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
             return( ret );
         }