Commit f9cf774c authored by Matt Caswell's avatar Matt Caswell
Browse files

Ensure we unpad in constant time for read pipelining 



The read pipelining code broke constant time unpadding. See GitHub
issue #1438

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 0f022f5a

ssl/record/ssl3_record.c

+9 −3
Original line number Diff line number Diff line
@@ -831,9 +831,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send) 
            int tmpret;

            for (ctr = 0; ctr < n_recs; ctr++) {

                tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);

                if (tmpret == -1)

                    return -1;

                ret &= tmpret;

                /*

                 * If tmpret == 0 then this means publicly invalid so we can

                 * short circuit things here. Otherwise we must respect constant

                 * time behaviour.

                 */

                if (tmpret == 0)

                    return 0;

                ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),

                                               ret, -1);

            }

        }

        if (pad && !send) {