diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-11-10 22:30:53 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-11-10 22:30:53 +0100 |
commit | 20ae8dcfab88dcf5d82c5569541c5c407cfc4962 (patch) | |
tree | 9ac2837b210df4c590eb163cc9572bb561e32c86 | |
parent | 2b91222a89d0fca3e8e00c012c973055358a3a26 (diff) | |
download | gnutls-20ae8dcfab88dcf5d82c5569541c5c407cfc4962.tar.gz |
provide less timing information during packet MAC verification.
-rw-r--r-- | lib/gnutls_cipher.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 716b7c9bd2..d5279ef9b0 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -544,13 +544,14 @@ ciphertext_to_compressed (gnutls_session_t session, * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; + pad = (int) ciphertext->size - tag_size; } length = ciphertext->size - tag_size - pad; /* Check the pading bytes (TLS 1.x) */ - if (ver != GNUTLS_SSL3 && pad_failed == 0) + if (ver != GNUTLS_SSL3) for (i = 2; i < pad; i++) { if (ciphertext->data[ciphertext->size - i] != @@ -582,12 +583,9 @@ ciphertext_to_compressed (gnutls_session_t session, /* This one was introduced to avoid a timing attack against the TLS * 1.0 protocol. */ - if (pad_failed != 0) - return gnutls_assert_val(pad_failed); - /* HMAC was not the same. */ - if (memcmp (tag, &ciphertext->data[length], tag_size) != 0) + if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); /* copy the decrypted stuff to compress_data. |