diff --git a/ChangeLog b/ChangeLog
index 1257e6133..ef245367a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@ Changes
 Security
    * Removed further timing differences during SSL message decryption in
      ssl_decrypt_buf()
+   * Removed timing differences due to bad padding from
+     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
+     operations
 
 = Version 1.1.5 released on 2013-01-16
 Bugfix
diff --git a/library/rsa.c b/library/rsa.c
index 614b23c84..673614ea5 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -484,9 +484,9 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
                        unsigned char *output,
                        size_t output_max_len)
 {
-    int ret;
-    size_t ilen;
-    unsigned char *p;
+    int ret, correct = 1;
+    size_t ilen, pad_count = 0;
+    unsigned char *p, *q;
     unsigned char bt;
     unsigned char buf[1024];
 #if defined(POLARSSL_PKCS1_V21)
@@ -515,36 +515,57 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
         case RSA_PKCS_V15:
 
             if( *p++ != 0 )
-                return( POLARSSL_ERR_RSA_INVALID_PADDING );
+                correct = 0;
             
             bt = *p++;
             if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
                 ( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
             {
-                return( POLARSSL_ERR_RSA_INVALID_PADDING );
+                correct = 0;
             }
 
             if( bt == RSA_CRYPT )
             {
                 while( *p != 0 && p < buf + ilen - 1 )
-                    p++;
+                    pad_count += ( *p++ != 0 );
 
-                if( *p != 0 || p >= buf + ilen - 1 )
-                    return( POLARSSL_ERR_RSA_INVALID_PADDING );
+                correct &= ( *p == 0 && p < buf + ilen - 1 );
 
+                q = p;
+
+                // Also pass over all other bytes to reduce timing differences
+                //
+                while ( q < buf + ilen - 1 )
+                    pad_count += ( *q++ != 0 );
+
+                // Prevent compiler optimization of pad_count
+                //
+                correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
                 p++;
             }
             else
             {
                 while( *p == 0xFF && p < buf + ilen - 1 )
-                    p++;
+                    pad_count += ( *p++ == 0xFF );
 
-                if( *p != 0 || p >= buf + ilen - 1 )
-                    return( POLARSSL_ERR_RSA_INVALID_PADDING );
+                correct &= ( *p == 0 && p < buf + ilen - 1 );
 
+                q = p;
+
+                // Also pass over all other bytes to reduce timing differences
+                //
+                while ( q < buf + ilen - 1 )
+                    pad_count += ( *q++ != 0 );
+
+                // Prevent compiler optimization of pad_count
+                //
+                correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
                 p++;
             }
 
+            if( correct == 0 )
+                return( POLARSSL_ERR_RSA_INVALID_PADDING );
+
             break;
 
 #if defined(POLARSSL_PKCS1_V21)