Verify TLS MAC even if padding is invalid to prevent timing attacks
authorMartin Willi <martin@revosec.ch>
Wed, 28 Sep 2011 15:00:48 +0000 (17:00 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 28 Sep 2011 15:16:09 +0000 (17:16 +0200)
src/libtls/tls_protection.c

index e85ded0..dcc983b 100644 (file)
@@ -154,13 +154,11 @@ METHOD(tls_protection_t, process, status_t,
                }
 
                padding_length = data.ptr[data.len - 1];
-               if (padding_length >= data.len)
-               {
-                       DBG1(DBG_TLS, "invalid TLS record padding");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
+               if (padding_length < data.len)
+               {       /* remove padding if it looks valid. Continue with no padding, try
+                        * to prevent timing attacks. */
+                       data.len -= padding_length + 1;
                }
-               data.len -= padding_length + 1;
        }
        if (this->signer_in)
        {