From d17df51277d74ba6f487b3e72c4c0bb4ba55eb9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Sun, 27 Oct 2013 17:32:43 +0100
Subject: [PATCH] Make get_zeros_and_len_padding() constant-time

---
 library/cipher.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/library/cipher.c b/library/cipher.c
index 0f545adf21..17368a1718 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -491,23 +491,25 @@ static void add_zeros_and_len_padding( unsigned char *output,
 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
                                       size_t *data_len )
 {
-    size_t i, padding_len = 0;
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
 
     if( NULL == input || NULL == data_len )
         return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
 
     padding_len = input[input_len - 1];
-
-    if( padding_len > input_len || padding_len == 0 )
-        return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
-    for( i = input_len - padding_len; i < input_len - 1; i++ )
-        if( input[i] != 0x00 )
-            return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
     *data_len = input_len - padding_len;
 
-    return 0;
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len - 1; i++ )
+        bad |= input[i] * ( i >= pad_idx );
+
+    return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0);
 }
 #endif /* POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN */