aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-04-16 06:58:14 -0400
committerJack Lloyd <[email protected]>2018-04-16 06:58:14 -0400
commitaa6bca4a149228cc3061a7a357865597da53251c (patch)
tree1b1165d9c6ba6ccd47bc2ac01d1b641d1a675b67
parent92605ef479e6b12a095a5451d20bcbcc72007c09 (diff)
Use bad_record_mac instead of decode_error for short TLS packets
Decode error seems more appropriate but it confuses some automated tools including older versions of TLS-Attacker.
-rw-r--r--src/lib/tls/tls_record.cpp9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 1f564a689..b5ea33c07 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -299,8 +299,15 @@ void decrypt_record(secure_vector<uint8_t>& output,
const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
const size_t msg_length = record_len - cs.nonce_bytes_from_record();
+ /*
+ * This early rejection is based just on public information (length of the
+ * encrypted packet) and so does not leak any information. We used to use
+ * decode_error here which really is more appropriate, but that confuses some
+ * tools which are attempting automated detection of padding oracles,
+ * including older versions of TLS-Attacker.
+ */
if(msg_length < aead->minimum_final_size())
- throw Decoding_Error("AEAD packet is shorter than the tag");
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag");
const size_t ptext_size = aead->output_length(msg_length);