Accept TLS records with zero-length plaintext

diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 574e69167dc2ed8c879a93004211555059c5ccd5..d823bae0449c5d77f360d262e855003e2659c64e 100644 (file)
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -168,7 +168,7 @@ METHOD(tls_protection_t, process, status_t,
                u_int8_t bs;
 
                bs = this->signer_in->get_block_size(this->signer_in);
-               if (data.len <= bs)
+               if (data.len < bs)
                {
                        DBG1(DBG_TLS, "TLS record too short to verify MAC");
                        this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);