Skip to content
Permalink
Browse files Browse the repository at this point in the history
[tls] Treat invalid block padding as zero length padding
Harden against padding oracle attacks by treating invalid block
padding as zero length padding, thereby deferring the failure until
after computing the (incorrect) MAC.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Nov 8, 2022
1 parent 634a860 commit 186306d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions src/net/tls.c
Expand Up @@ -2821,8 +2821,8 @@ static int tls_new_ciphertext ( struct tls_connection *tls,
if ( is_block_cipher ( cipher ) ) {
pad_len = tls_verify_padding ( tls, last );
if ( pad_len < 0 ) {
rc = pad_len;
return rc;
/* Assume zero padding length to avoid timing attacks */
pad_len = 0;
}
iob_unput ( last, pad_len );
len -= pad_len;
Expand Down

0 comments on commit 186306d

Please sign in to comment.