From e46b17766c0e984f305700baa097b464e36f996b Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Mon, 7 Jul 2014 14:04:00 +0200
Subject: [PATCH] Make get_pkcs_padding() constant-time

---
 ChangeLog        |  1 +
 library/cipher.c | 25 ++++++++++++++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 77107d412..27a6747da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,7 @@ Changes
 = Version 1.2.10 released 2013-10-07
 Changes
    * Changed RSA blinding to a slower but thread-safe version
+   * Make get_pkcs_padding() constant-time
 
 Bugfix
    * Fixed memory leak in RSA as a result of introduction of blinding
diff --git a/library/cipher.c b/library/cipher.c
index f20cc73b4..e8dae3a4f 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -500,7 +500,7 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len,
         size_t data_len )
 {
     size_t padding_len = output_len - data_len;
-    unsigned char i = 0;
+    unsigned char i;
 
     for( i = 0; i < padding_len; i++ )
         output[data_len + i] = (unsigned char) padding_len;
@@ -509,23 +509,26 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len,
 static int get_pkcs_padding( unsigned char *input, unsigned int input_len,
         size_t *data_len)
 {
-    unsigned int i, padding_len = 0;
+    unsigned int i, pad_idx;
+    unsigned char padding_len, bad = 0;
 
     if( NULL == input || NULL == data_len )
         return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
 
     padding_len = input[input_len - 1];
-
-    if( padding_len > input_len )
-        return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
-    for( i = input_len - padding_len; i < input_len; i++ )
-        if( input[i] != padding_len )
-            return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
     *data_len = input_len - padding_len;
 
-    return 0;
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len,
+     * so pick input_len, which is usually 8 or 16 (one block) */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len; i++ )
+        bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
+
+    return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0);
 }
 
 int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen)