From: Martin Willi <martin@revosec.ch>
Date: Wed, 28 Sep 2011 15:00:48 +0000 (+0200)
Subject: Verify TLS MAC even if padding is invalid to prevent timing attacks
X-Git-Tag: 4.6.0~332
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b79bb79a66a3fad05bddacbe67f93e22fd60c283;p=thirdparty%2Fstrongswan.git

Verify TLS MAC even if padding is invalid to prevent timing attacks
---

diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index e85ded016d..dcc983b9c2 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -154,13 +154,11 @@ METHOD(tls_protection_t, process, status_t,
 		}
 
 		padding_length = data.ptr[data.len - 1];
-		if (padding_length >= data.len)
-		{
-			DBG1(DBG_TLS, "invalid TLS record padding");
-			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-			return NEED_MORE;
+		if (padding_length < data.len)
+		{	/* remove padding if it looks valid. Continue with no padding, try
+			 * to prevent timing attacks. */
+			data.len -= padding_length + 1;
 		}
-		data.len -= padding_length + 1;
 	}
 	if (this->signer_in)
 	{