diff options
author | Jack Lloyd <[email protected]> | 2018-04-16 06:58:14 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-04-16 06:58:14 -0400 |
commit | aa6bca4a149228cc3061a7a357865597da53251c (patch) | |
tree | 1b1165d9c6ba6ccd47bc2ac01d1b641d1a675b67 /src/lib/tls | |
parent | 92605ef479e6b12a095a5451d20bcbcc72007c09 (diff) |
Use bad_record_mac instead of decode_error for short TLS packets
Decode error seems more appropriate but it confuses some automated
tools including older versions of TLS-Attacker.
Diffstat (limited to 'src/lib/tls')
-rw-r--r-- | src/lib/tls/tls_record.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index 1f564a689..b5ea33c07 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -299,8 +299,15 @@ void decrypt_record(secure_vector<uint8_t>& output, const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()]; const size_t msg_length = record_len - cs.nonce_bytes_from_record(); + /* + * This early rejection is based just on public information (length of the + * encrypted packet) and so does not leak any information. We used to use + * decode_error here which really is more appropriate, but that confuses some + * tools which are attempting automated detection of padding oracles, + * including older versions of TLS-Attacker. + */ if(msg_length < aead->minimum_final_size()) - throw Decoding_Error("AEAD packet is shorter than the tag"); + throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag"); const size_t ptext_size = aead->output_length(msg_length); |