From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 25 Jul 2013 17:30:47 +0000 (+0100)
Subject: transform: Do not look at any bytes of PKCS#5 padding other than the last
X-Git-Tag: debian/0.3.0_beta2~35
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=commitdiff_plain;h=46008a7c3e56df88d06087d26cb9ddc197933589;hp=5ad34db2ccbbfbc936cd16121bed2110b70594ba

transform: Do not look at any bytes of PKCS#5 padding other than the last

This might avoid some timing-related information leaks.  In principle
this is a protocol change: we now no longer use actual PKCS#5 padding;
instead, we use a padding scheme where all but the last byte of the
padding may be sent as anything and are ignored by the receiver.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/transform.c b/transform.c
index 012f618..6618ec5 100644
--- a/transform.c
+++ b/transform.c
@@ -234,13 +234,7 @@ static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
 	return 1;
     }
 
-    padp=buf_unappend(buf,padlen-1);
-    for (i=0; i<padlen-1; i++) {
-	if (*++padp != padlen) {
-	    *errmsg="pkcs5: corrupted padding";
-	    return 1;
-	}
-    }
+    buf_unappend(buf,padlen-1);
 
     /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
        is only allowed to increase. */