Verify TLS MAC even if padding is invalid to prevent timing attacks

author Martin Willi <martin@revosec.ch>

Wed, 28 Sep 2011 15:00:48 +0000 (17:00 +0200)

committer Martin Willi <martin@revosec.ch>

Wed, 28 Sep 2011 15:16:09 +0000 (17:16 +0200)
author Martin Willi <martin@revosec.ch>
Wed, 28 Sep 2011 15:00:48 +0000 (17:00 +0200)
committer Martin Willi <martin@revosec.ch>
Wed, 28 Sep 2011 15:16:09 +0000 (17:16 +0200)
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c

index e85ded0..dcc983b 100644 (file)
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -154,13 +154,11 @@ METHOD(tls_protection_t, process, status_t,
                 }
  
                 padding_length = data.ptr[data.len - 1];
                 }
  
                 padding_length = data.ptr[data.len - 1];
-               if (padding_length >= data.len)
-               {
-                       DBG1(DBG_TLS, "invalid TLS record padding");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
+               if (padding_length < data.len)
+               {       /* remove padding if it looks valid. Continue with no padding, try
+                        * to prevent timing attacks. */
+                       data.len -= padding_length + 1;
                 }
                 }
-               data.len -= padding_length + 1;
         }
         if (this->signer_in)
         {
         }
         if (this->signer_in)
         {
author	Martin Willi <martin@revosec.ch>
	Wed, 28 Sep 2011 15:00:48 +0000 (17:00 +0200)
committer	Martin Willi <martin@revosec.ch>
	Wed, 28 Sep 2011 15:16:09 +0000 (17:16 +0200)