Removed possible cache-timing difference for pad check

This commit is contained in:
Paul Bakker 2013-09-25 18:52:37 +02:00
parent 8b817dc47e
commit ca9c87ed2b

View File

@ -1510,17 +1510,17 @@ static int ssl_decrypt_buf( ssl_context *ssl )
* TLSv1+: always check the padding up to the first failure
* and fake check up to 256 bytes of padding
*/
size_t pad_count = 0, fake_pad_count = 0;
size_t pad_count = 0, real_count = 1;
size_t padding_idx = ssl->in_msglen - padlen - 1;
for( i = 1; i <= padlen; i++ )
pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
for( ; i <= 256; i++ )
fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
for( i = 1; i <= 256; i++ )
{
real_count &= ( i <= padlen );
pad_count += real_count *
( ssl->in_msg[padding_idx + i] == padlen - 1 );
}
correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
#if defined(POLARSSL_SSL_DEBUG_ALL)
if( padlen > 0 && correct == 0)