aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/lib/tls/tls_record.cpp9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 1f564a689..b5ea33c07 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -299,8 +299,15 @@ void decrypt_record(secure_vector<uint8_t>& output,
const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
const size_t msg_length = record_len - cs.nonce_bytes_from_record();
+ /*
+ * This early rejection is based just on public information (length of the
+ * encrypted packet) and so does not leak any information. We used to use
+ * decode_error here which really is more appropriate, but that confuses some
+ * tools which are attempting automated detection of padding oracles,
+ * including older versions of TLS-Attacker.
+ */
if(msg_length < aead->minimum_final_size())
- throw Decoding_Error("AEAD packet is shorter than the tag");
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag");
const size_t ptext_size = aead->output_length(msg_length);