CT fix for get_zeros_and_len_padding
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/library/cipher.c b/library/cipher.c
index 90145a5..6853fb8 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -837,16 +837,17 @@
*data_len = input_len - padding_len;
/* Avoid logical || since it results in a branch */
- bad |= padding_len > input_len;
- bad |= padding_len == 0;
+ bad |= mbedtls_ct_size_mask_ge(padding_len, input_len + 1);
+ bad |= mbedtls_ct_size_bool_eq(padding_len, 0);
/* The number of bytes checked must be independent of padding_len */
pad_idx = input_len - padding_len;
for (i = 0; i < input_len - 1; i++) {
- bad |= input[i] * (i >= pad_idx);
+ unsigned int mask = mbedtls_ct_size_mask_ge(i, pad_idx);
+ bad |= input[i] & mask;
}
- return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
+ return (int) mbedtls_ct_uint_if(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING, 0);
}
#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */