Add ssl_set_dtls_badmac_limit()

2014-10-14 18:30:36 +02:00 · 2014-10-14 18:30:36 +02:00 · b0643d152d
commit b0643d152d
parent 9b35f18f66
4 changed files with 66 additions and 2 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3238,6 +3238,15 @@ read_record_header:
            if( ret == POLARSSL_ERR_SSL_INVALID_RECORD ||
                ret == POLARSSL_ERR_SSL_INVALID_MAC )
            {
+#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
+                if( ssl->badmac_limit != 0 &&
+                    ++ssl->badmac_seen >= ssl->badmac_limit )
+                {
+                    SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
+                    return( POLARSSL_ERR_SSL_INVALID_MAC );
+                }
+#endif
+
                SSL_DEBUG_MSG( 1, ( "discarding invalid record" ) );
                goto read_record_header;
            }
@ -4923,6 +4932,13 @@ void ssl_set_dtls_anti_replay( ssl_context *ssl, char mode )
 }
 #endif

+#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
+void ssl_set_dtls_badmac_limit( ssl_context *ssl, unsigned limit )
+{
+    ssl->badmac_limit = limit;
+}
+#endif
+
 #if defined(POLARSSL_SSL_PROTO_DTLS)
 void ssl_set_handshake_timeout( ssl_context *ssl, uint32_t min, uint32_t max )
 {