From ca9c87ed2bb6f78cca01ce0716f9c2bea636e252 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 25 Sep 2013 18:52:37 +0200 Subject: [PATCH] Removed possible cache-timing difference for pad check --- library/ssl_tls.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 388ce8d26..39291fa43 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1510,17 +1510,17 @@ static int ssl_decrypt_buf( ssl_context *ssl ) * TLSv1+: always check the padding up to the first failure * and fake check up to 256 bytes of padding */ - size_t pad_count = 0, fake_pad_count = 0; + size_t pad_count = 0, real_count = 1; size_t padding_idx = ssl->in_msglen - padlen - 1; - for( i = 1; i <= padlen; i++ ) - pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 ); - - for( ; i <= 256; i++ ) - fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 ); + for( i = 1; i <= 256; i++ ) + { + real_count &= ( i <= padlen ); + pad_count += real_count * + ( ssl->in_msg[padding_idx + i] == padlen - 1 ); + } correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ - correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */ #if defined(POLARSSL_SSL_DEBUG_ALL) if( padlen > 0 && correct == 0)