Part two of issue #9
Decoding for PKCS1v1.5 ciphertexts exits early if the first bytes of padding are incorrect.
|
if paddedData[0] != 0 || paddedData[1] != 2 { |
which creates a padding oracle.
Similarly, when the PKCS1v1.5 ciphertext is decrypted, the server returns an error immediately
|
preMasterSecret = try rsa.decrypt(encryptedPreMasterSecret) |
which creates a padding oracle that doesn't even require a side channel to execute since an attacker knows the PKCSv1.5 ciphertext padding was valid iff the server does not abort the connection. The correct way to handle this is to first generate a random 48 byte premaster, then RSA decrypt, then if the RSA ciphertext was invalid carry on using the randomized premaster. Then there is no oracle for an attacker to use.
Part two of issue #9
Decoding for PKCS1v1.5 ciphertexts exits early if the first bytes of padding are incorrect.
SwiftTLS/SwiftTLS/Sources/Crypto/RSA-PKCS1.swift
Line 100 in f5010aa
Similarly, when the PKCS1v1.5 ciphertext is decrypted, the server returns an error immediately
SwiftTLS/SwiftTLS/Sources/TLS/Protocol/TLS 1.2/TLS1_2.ServerProtocol.swift
Line 285 in f5010aa