Add ssl_set_dtls_badmac_limit()

commit: b0643d152d9f47f45e344195c43c9eb9a013940d [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Oct 14 18:30:36 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:32:55 2014 +0200
tree: 19f438745d90fff797cdb2898c6ef512f0ec7238
parent: 9b35f18f6686554ec19d74575018881fabfef2ec [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 54add8e..7cb1442 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -3238,6 +3238,15 @@
             if( ret == POLARSSL_ERR_SSL_INVALID_RECORD ||
                 ret == POLARSSL_ERR_SSL_INVALID_MAC )
             {
+#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
+                if( ssl->badmac_limit != 0 &&
+                    ++ssl->badmac_seen >= ssl->badmac_limit )
+                {
+                    SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
+                    return( POLARSSL_ERR_SSL_INVALID_MAC );
+                }
+#endif
+
                 SSL_DEBUG_MSG( 1, ( "discarding invalid record" ) );
                 goto read_record_header;
             }
@@ -4923,6 +4932,13 @@
 }
 #endif
 
+#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
+void ssl_set_dtls_badmac_limit( ssl_context *ssl, unsigned limit )
+{
+    ssl->badmac_limit = limit;
+}
+#endif
+
 #if defined(POLARSSL_SSL_PROTO_DTLS)
 void ssl_set_handshake_timeout( ssl_context *ssl, uint32_t min, uint32_t max )
 {
commit	b0643d152d9f47f45e344195c43c9eb9a013940d	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Oct 14 18:30:36 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 21 16:32:55 2014 +0200
tree	19f438745d90fff797cdb2898c6ef512f0ec7238
parent	9b35f18f6686554ec19d74575018881fabfef2ec [diff] [blame]