[tls] Treat invalid block padding as zero length padding

Harden against padding oracle attacks by treating invalid block
padding as zero length padding, thereby deferring the failure until
after computing the (incorrect) MAC.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/tls.c b/src/net/tls.c
index fdaa2190d8401f54f4b3285c60de8e8324e1934c..8a3ac3eedc0c9bebf519d6163dea978fdee250d1 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2821,8 +2821,8 @@ static int tls_new_ciphertext ( struct tls_connection *tls,
        if ( is_block_cipher ( cipher ) ) {
                pad_len = tls_verify_padding ( tls, last );
                if ( pad_len < 0 ) {
-                       rc = pad_len;
-                       return rc;
+                       /* Assume zero padding length to avoid timing attacks */
+                       pad_len = 0;
                }
                iob_unput ( last, pad_len );
                len -= pad_len;