From ca9c87ed2bb6f78cca01ce0716f9c2bea636e252 Mon Sep 17 00:00:00 2001
From: Paul Bakker
Date: Wed, 25 Sep 2013 18:52:37 +0200
Subject: [PATCH] Removed possible cache-timing difference for pad check
---
library/ssl_tls.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 388ce8d26..39291fa43 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1510,17 +1510,17 @@ static int ssl_decrypt_buf( ssl_context *ssl )
* TLSv1+: always check the padding up to the first failure
* and fake check up to 256 bytes of padding
*/
- size_t pad_count = 0, fake_pad_count = 0;
+ size_t pad_count = 0, real_count = 1;
size_t padding_idx = ssl->in_msglen - padlen - 1;
- for( i = 1; i <= padlen; i++ )
- pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
-
- for( ; i <= 256; i++ )
- fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+ for( i = 1; i <= 256; i++ )
+ {
+ real_count &= ( i <= padlen );
+ pad_count += real_count *
+ ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+ }
correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
- correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
#if defined(POLARSSL_SSL_DEBUG_ALL)
if( padlen > 0 && correct == 0)