Use bad_record_mac instead of decode_error for short TLS packets

Decode error seems more appropriate but it confuses some automated
tools including older versions of TLS-Attacker.

1 files changed, 8 insertions, 1 deletions

diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 1f564a689..b5ea33c07 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -299,8 +299,15 @@ void decrypt_record(secure_vector<uint8_t>& output,
    const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
    const size_t msg_length = record_len - cs.nonce_bytes_from_record();
 
+   /*
+   * This early rejection is based just on public information (length of the
+   * encrypted packet) and so does not leak any information. We used to use
+   * decode_error here which really is more appropriate, but that confuses some
+   * tools which are attempting automated detection of padding oracles,
+   * including older versions of TLS-Attacker.
+   */
    if(msg_length < aead->minimum_final_size())
-      throw Decoding_Error("AEAD packet is shorter than the tag");
+      throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag");
 
    const size_t ptext_size = aead->output_length(msg_length);