Added sending of alert messages in case of decryption failures as per RFC

The flag POLARSSL_SSL_ALERT_MESSAGES switched between enabling and disabling the sending of alert messages that give adversaries intel about the result of their action. PolarSSL can still communicate with other parties if they are disabled, but debugging of issues might be harder.
2025-08-01 10:06:53 +03:00 · 2013-01-31 17:13:13 +01:00
parent d66f070d49
commit 40865c8e5d
3 changed files with 25 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1975,6 +1975,14 @@ int ssl_read_record( ssl_context *ssl )
    {
        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
        {
+#if defined(POLARSSL_SSL_ALERT_MESSAGES)
+            if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
+            {
+                ssl_send_alert_message( ssl,
+                                        SSL_ALERT_LEVEL_FATAL,
+                                        SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
            SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
            return( ret );
        }