[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Aug 16 15:56:12 UTC 2016
The branch master has been updated
via f9cf774cbd31c3498ade4574c3b0ae6cb9773e28 (commit)
from 0f022f5a2201a591da7d373ebeeb7d29bdcaf95a (commit)
- Log -----------------------------------------------------------------
commit f9cf774cbd31c3498ade4574c3b0ae6cb9773e28
Author: Matt Caswell <matt at openssl.org>
Date: Tue Aug 16 14:07:29 2016 +0100
Ensure we unpad in constant time for read pipelining
The read pipelining code broke constant time unpadding. See GitHub
issue #1438
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/record/ssl3_record.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 5f9ce7a..f1d6f72 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -831,9 +831,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
int tmpret;
for (ctr = 0; ctr < n_recs; ctr++) {
tmpret = tls1_cbc_remove_padding(s, &recs[ctr], bs, mac_size);
- if (tmpret == -1)
- return -1;
- ret &= tmpret;
+ /*
+ * If tmpret == 0 then this means publicly invalid so we can
+ * short circuit things here. Otherwise we must respect constant
+ * time behaviour.
+ */
+ if (tmpret == 0)
+ return 0;
+ ret = constant_time_select_int(constant_time_eq_int(tmpret, 1),
+ ret, -1);
}
}
if (pad && !send) {
More information about the openssl-commits
mailing list