feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

TLS EtM: check all padding bytes are the same value

Browse Source 
Must be constant time so as not to provide an oracle.
That is, don't leak length of data and padding.
This commit is contained in:
Sean Parkinson
2021-06-17 13:23:06 +10:00
parent 54cef64250
commit 98ce4e901a
1 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/internal.c
View File

@@ -16110,9 +16110,33 @@ int ProcessReply(WOLFSSL* ssl)
in->buffer + in->idx,
ssl->curSize - (word16)digestSz);
if (ret == 0) {
ssl->keys.padSz =
in->buffer[in->idx + ssl->curSize -
digestSz - 1];
byte invalid = 0;
byte padding = (byte)-1;
word32 i;
word32 off = in->idx + ssl->curSize - digestSz - 1;
/* Last of padding bytes - indicates length. */
ssl->keys.padSz = in->buffer[off];
/* Constant time checking of padding - don't leak
* the length of the data.
*/
/* Compare max pad bytes or at most data + pad. */
for (i = 1; i < MAX_PAD_SIZE && off >= i; i++) {
/* Mask on indicates this is expected to be a
* padding byte.
*/
padding &= ctMaskLTE(i, ssl->keys.padSz);
/* When this is a padding byte and not equal
* to length then mask is set.
*/
invalid |= padding &
ctMaskNotEq(in->buffer[off - i],
ssl->keys.padSz);
}
/* If mask is set then there was an error. */
if (invalid) {
ret = DECRYPT_ERROR;
}
ssl->keys.padSz += 1;
ssl->keys.decryptedCur = 1;
}