> From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Felipe > Gasper <fel...@felipegasper.com> > Sent: Tuesday, April 30, 2019 11:06
> My question is, does TLS allow a client to be _able_ to parse an incomplete > message? > Or is it that only the entire message can be decoded? TLS doesn't have the concept of a "message". It has records. Application data from the peer may occupy one or more records. If a record can't be received completely, while it might be possible to decrypt the partial content (or, depending on cipher type and chaining mode, all but the last cipher block received), it wouldn't be possible to authenticate the data. Thus you'd fall prey to Moxie Marlinspike's Cryptography Doom Principle. Except in unusual circumstances (e.g. attacking the peer, or forensics) you Don't Want To Do That. Consider that if you're using a stream cipher, or a block cipher in a streaming mode such as GCM, that an attacker can 1) tamper with the application data in a record by bit-flipping, then 2) abort the conversation by forging an RST or similar, cutting the tampered block short. If the receiver attempts to act on the data in the partial block, the attack succeeds. Even just attempting to decrypt and log the partial data could be dangerous, for example if the log is later displayed using a web-based tool that has an XSS vulnerability, or some sort of binary parser with an exploitable overflow (e.g. a buggy Wireshark dissector). -- Michael Wojcik
