You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
which creates a padding oracle that doesn't even require a side channel to execute since an attacker knows the PKCSv1.5 ciphertext padding was valid iff the server does not abort the connection. The correct way to handle this is to first generate a random 48 byte premaster, then RSA decrypt, then if the RSA ciphertext was invalid carry on using the randomized premaster. Then there is no oracle for an attacker to use.
The text was updated successfully, but these errors were encountered:
Part two of issue #9
Decoding for PKCS1v1.5 ciphertexts exits early if the first bytes of padding are incorrect.
SwiftTLS/SwiftTLS/Sources/Crypto/RSA-PKCS1.swift
Line 100 in f5010aa
Similarly, when the PKCS1v1.5 ciphertext is decrypted, the server returns an error immediately
SwiftTLS/SwiftTLS/Sources/TLS/Protocol/TLS 1.2/TLS1_2.ServerProtocol.swift
Line 285 in f5010aa
The text was updated successfully, but these errors were encountered: