Blame SOURCES/gnutls-3.3.29-dummy-wait-hash-same-amount-of-blocks.patch

b88a44
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
b88a44
index 37478a4c3..65dde6899 100644
b88a44
--- a/lib/gnutls_cipher.c
b88a44
+++ b/lib/gnutls_cipher.c
b88a44
@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session,
b88a44
 	return length;
b88a44
 }
b88a44
 
b88a44
-static void dummy_wait(record_parameters_st * params,
b88a44
-		       gnutls_datum_t * plaintext, unsigned pad_failed,
b88a44
-		       unsigned int pad, unsigned total)
b88a44
+static void dummy_wait(record_parameters_st *params,
b88a44
+		       gnutls_datum_t *plaintext,
b88a44
+		       unsigned int mac_data, unsigned int max_mac_data)
b88a44
 {
b88a44
 	/* this hack is only needed on CBC ciphers */
b88a44
 	if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) {
b88a44
-		unsigned len, v;
b88a44
+		unsigned v;
b88a44
+		unsigned int tag_size =
b88a44
+		    _gnutls_auth_cipher_tag_len(&params->read.cipher_state);
b88a44
+		unsigned hash_block = _gnutls_mac_block_size(params->mac);
b88a44
 
b88a44
-		/* force an additional hash compression function evaluation to prevent timing 
b88a44
+		/* force additional hash compression function evaluations to prevent timing
b88a44
 		 * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
b88a44
 		 */
b88a44
-		if (pad_failed == 0 && pad > 0) {
b88a44
-			len = _gnutls_mac_block_size(params->mac);
b88a44
-			if (len > 0) {
b88a44
-				if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
b88a44
-					/* v = 1 for the hash function padding + 16 for message length */
b88a44
-					v = 17;
b88a44
-				else /* v = 1 for the hash function padding + 8 for message length */
b88a44
-					v = 9;
b88a44
-
b88a44
-				if ((pad + total) % len > len - v
b88a44
-				    && total % len <= len - v) {
b88a44
-					if (len < plaintext->size)
b88a44
-						_gnutls_auth_cipher_add_auth
b88a44
-						    (&params->read.
b88a44
-						     cipher_state,
b88a44
-						     plaintext->data, len);
b88a44
-					else
b88a44
-						_gnutls_auth_cipher_add_auth
b88a44
-						    (&params->read.
b88a44
-						     cipher_state,
b88a44
-						     plaintext->data,
b88a44
-						     plaintext->size);
b88a44
-				}
b88a44
+		if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
b88a44
+			/* v = 1 for the hash function padding + 16 for message length */
b88a44
+			v = 17;
b88a44
+		else /* v = 1 for the hash function padding + 8 for message length */
b88a44
+			v = 9;
b88a44
+
b88a44
+		if (hash_block > 0) {
b88a44
+			int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
b88a44
+			int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
b88a44
+			unsigned to_hash;
b88a44
+
b88a44
+			max_blocks -= hashed_blocks;
b88a44
+			if (max_blocks < 1)
b88a44
+				return;
b88a44
+
b88a44
+			to_hash = max_blocks * hash_block;
b88a44
+			if ((unsigned)to_hash+1+tag_size < plaintext->size) {
b88a44
+				_gnutls_auth_cipher_add_auth
b88a44
+					    (&params->read.cipher_state,
b88a44
+					     plaintext->data+plaintext->size-tag_size-to_hash-1,
b88a44
+					     to_hash);
b88a44
 			}
b88a44
 		}
b88a44
 	}
b88a44
@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session,
b88a44
 	if (unlikely
b88a44
 	    (memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
b88a44
 		/* HMAC was not the same. */
b88a44
-		dummy_wait(params, compressed, pad_failed, pad,
b88a44
-			   length + preamble_size);
b88a44
+			gnutls_datum_t data = {compressed->data, ciphertext->size};
b88a44
+
b88a44
+			dummy_wait(params, &data, length + preamble_size,
b88a44
+				   preamble_size + ciphertext->size - tag_size - 1);
b88a44
 
b88a44
 		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
b88a44
 	}
b88a44
-- 
b88a44
2.14.3
b88a44