From 186306d6199096b7a7c4b4574d4be8cdb8426729 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 8 Nov 2022 15:10:25 +0000
Subject: [tls] Treat invalid block padding as zero length padding

Harden against padding oracle attacks by treating invalid block
padding as zero length padding, thereby deferring the failure until
after computing the (incorrect) MAC.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/net/tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/net/tls.c b/src/net/tls.c
index fdaa219..8a3ac3e 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2821,8 +2821,8 @@ static int tls_new_ciphertext ( struct tls_connection *tls,
 	if ( is_block_cipher ( cipher ) ) {
 		pad_len = tls_verify_padding ( tls, last );
 		if ( pad_len < 0 ) {
-			rc = pad_len;
-			return rc;
+			/* Assume zero padding length to avoid timing attacks */
+			pad_len = 0;
 		}
 		iob_unput ( last, pad_len );
 		len -= pad_len;
-- 
cgit v1.1