Send bad_record_mac instead of decryption_failed

The decryption failed alert was deprecated a long time ago. It can provide an attacker too much information to be able to distinguish between MAC failures and decryption failures and can lead to oracle attacks. Instead we should always use the bad_record_mac alert for these issues. This fixes one instance that still exists. It does not represent a security issue in this case because it is only ever sent if the record is publicly invalid, i.e. we have detected it is invalid without using any secret material. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10093) (cherry picked from commit 37133290832ac2d1389926eba7325125fdacbe8d)
author: Matt Caswell <matt@openssl.org> 2019-10-04 14:01:21 +0100
committer: Matt Caswell <matt@openssl.org> 2019-10-07 08:25:42 +0100
commit: f1fd279cceb9eb7a0294a1eab8345c3193f40a0a (patch)
tree: dd1dbd7eac6440b7dd4a5ba3598ab66a5769a714 /ssl
parent: a10765c2e0e94d2cd30711339d2ba3f3a244a206 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index d116ff0e90..d406adfb93 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
             RECORD_LAYER_reset_read_sequence(&s->rlayer);
             return 1;
         }
-        SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
+        SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
                  SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
         return -1;
     }
author	Matt Caswell <matt@openssl.org>	2019-10-04 14:01:21 +0100
committer	Matt Caswell <matt@openssl.org>	2019-10-07 08:25:42 +0100
commit	f1fd279cceb9eb7a0294a1eab8345c3193f40a0a (patch)
tree	dd1dbd7eac6440b7dd4a5ba3598ab66a5769a714 /ssl
parent	a10765c2e0e94d2cd30711339d2ba3f3a244a206 (diff)