Added sending of alert messages in case of decryption failures as per RFC

The flag POLARSSL_SSL_ALERT_MESSAGES switched between enabling and disabling the sending of alert messages that give adversaries intel about the result of their action. PolarSSL can still communicate with other parties if they are disabled, but debugging of issues might be harder.
2025-12-24 00:06:32 +01:00 · 2013-01-31 17:13:13 +01:00 · 2013-01-31 17:13:13 +01:00 · 40865c8e5d
commit 40865c8e5d
parent d66f070d49
3 changed files with 25 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1975,6 +1975,14 @@ int ssl_read_record( ssl_context *ssl )
    {
        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
        {
+#if defined(POLARSSL_SSL_ALERT_MESSAGES)
+            if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
+            {
+                ssl_send_alert_message( ssl,
+                                        SSL_ALERT_LEVEL_FATAL,
+                                        SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
            SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
            return( ret );
        }