diff options
author | Matt Caswell <matt@openssl.org> | 2016-08-16 14:07:29 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-08-16 16:53:17 +0100 |
commit | f9cf774cbd31c3498ade4574c3b0ae6cb9773e28 (patch) | |
tree | 66a702057d8ae72428262ac79a97c9dfdfd2d24f | |
parent | 0f022f5a2201a591da7d373ebeeb7d29bdcaf95a (diff) | |
download | openssl-f9cf774cbd31c3498ade4574c3b0ae6cb9773e28.tar.gz |
Ensure we unpad in constant time for read pipelining
The read pipelining code broke constant time unpadding. See GitHub
issue #1438
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | ssl/record/ssl3_record.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 5f9ce7a065..f1d6f72d83 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -831,9 +831,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send) int tmpret; for (ctr = 0; ctr < n_recs; ctr++) { tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size); - if (tmpret == -1) - return -1; - ret &= tmpret; + /* + * If tmpret == 0 then this means publicly invalid so we can + * short circuit things here. Otherwise we must respect constant + * time behaviour. + */ + if (tmpret == 0) + return 0; + ret = constant_time_select_int(constant_time_eq_int(tmpret, 1), + ret, -1); } } if (pad && !send) { |