Ensure we unpad in constant time for read pipelining

The read pipelining code broke constant time unpadding. See GitHub issue #1438 Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-08-16 14:07:29 +0100
committer: Matt Caswell <matt@openssl.org> 2016-08-16 16:53:17 +0100
commit: f9cf774cbd31c3498ade4574c3b0ae6cb9773e28 (patch)
tree: 66a702057d8ae72428262ac79a97c9dfdfd2d24f
parent: 0f022f5a2201a591da7d373ebeeb7d29bdcaf95a (diff)
download: openssl-f9cf774cbd31c3498ade4574c3b0ae6cb9773e28.tar.gz
1 files changed, 9 insertions, 3 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 5f9ce7a065..f1d6f72d83 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -831,9 +831,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
             int tmpret;
             for (ctr = 0; ctr < n_recs; ctr++) {
                 tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
-                if (tmpret == -1)
-                    return -1;
-                ret &= tmpret;
+                /*
+                 * If tmpret == 0 then this means publicly invalid so we can
+                 * short circuit things here. Otherwise we must respect constant
+                 * time behaviour.
+                 */
+                if (tmpret == 0)
+                    return 0;
+                ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
+                                               ret, -1);
             }
         }
         if (pad && !send) {
author	Matt Caswell <matt@openssl.org>	2016-08-16 14:07:29 +0100
committer	Matt Caswell <matt@openssl.org>	2016-08-16 16:53:17 +0100
commit	f9cf774cbd31c3498ade4574c3b0ae6cb9773e28 (patch)
tree	66a702057d8ae72428262ac79a97c9dfdfd2d24f
parent	0f022f5a2201a591da7d373ebeeb7d29bdcaf95a (diff)
download	openssl-f9cf774cbd31c3498ade4574c3b0ae6cb9773e28.tar.gz