Disable debug messages that can introduce a timing side channel.

Introduced the POLARSSL_SSL_DEBUG_ALL flag to enable all these debug messages in case somebody does want to see the reason checks fail.
2025-07-30 22:43:08 +03:00 · 2013-01-31 16:57:45 +01:00
parent 4582999be6
commit d66f070d49
3 changed files with 24 additions and 1 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1403,9 +1403,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )

        if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
        {
+#if defined(POLARSSL_SSL_DEBUG_ALL)
            SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
                        ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
-
+#endif
            padlen = 0;
            fake_padlen = 256;
            correct = 0;
@ -1415,9 +1416,11 @@ static int ssl_decrypt_buf( ssl_context *ssl )
        {
            if( padlen > ssl->transform_in->ivlen )
            {
+#if defined(POLARSSL_SSL_DEBUG_ALL)
                SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
                                    "should be no more than %d",
                               padlen, ssl->transform_in->ivlen ) );
+#endif
                correct = 0;
            }
        }
@ -1443,8 +1446,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )
                else
                    minlen = 1;
            }
+#if defined(POLARSSL_SSL_DEBUG_ALL)
            if( padlen > 0 && correct == 0)
                SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
+#endif
        }
    }