Disable debug messages that can introduce a timing side channel.
Introduced the POLARSSL_SSL_DEBUG_ALL flag to enable all these debug
messages in case somebody does want to see the reason checks fail.
(cherry picked from commit d66f070d492ef75405baad9f0d018b1bd06862c8)
Conflicts:
include/polarssl/config.h
library/ssl_tls.c
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 95e912f..2c618a7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -769,9 +769,10 @@
if( ssl->in_msglen < ssl->maclen + padlen )
{
+#if defined(POLARSSL_SSL_DEBUG_ALL)
SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
ssl->in_msglen, ssl->maclen, padlen ) );
-
+#endif
padlen = 0;
fake_padlen = 256;
correct = 0;
@@ -781,9 +782,11 @@
{
if( padlen > ssl->ivlen )
{
+#if defined(POLARSSL_SSL_DEBUG_ALL)
SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
"should be no more than %d",
padlen, ssl->ivlen ) );
+#endif
correct = 0;
}
}
@@ -809,8 +812,10 @@
else
minlen = 1;
}
+#if defined(POLARSSL_SSL_DEBUG_ALL)
if( padlen > 0 && correct == 0)
SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
+#endif
}
}