From ca9c87ed2bb6f78cca01ce0716f9c2bea636e252 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 25 Sep 2013 18:52:37 +0200
Subject: [PATCH] Removed possible cache-timing difference for pad check

---
 library/ssl_tls.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 388ce8d264..39291fa43a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1510,17 +1510,17 @@ static int ssl_decrypt_buf( ssl_context *ssl )
              * TLSv1+: always check the padding up to the first failure
              * and fake check up to 256 bytes of padding
              */
-            size_t pad_count = 0, fake_pad_count = 0;
+            size_t pad_count = 0, real_count = 1;
             size_t padding_idx = ssl->in_msglen - padlen - 1;
 
-            for( i = 1; i <= padlen; i++ )
-                pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
-
-            for( ; i <= 256; i++ )
-                fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+            for( i = 1; i <= 256; i++ )
+            {
+                real_count &= ( i <= padlen );
+                pad_count += real_count *
+                             ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+            }
 
             correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
-            correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
 
 #if defined(POLARSSL_SSL_DEBUG_ALL)
             if( padlen > 0 && correct == 0)