Add and use a constant-time memcmp.

[openssl.git] / ssl / d1_pkt.c

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index b709ebbfaae3d43d9b248ef1ff0a44a9a9432962..8e9ee5a77e5fab1a2b1ab8044dca69a87b47c5b8 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -139,7 +139,6 @@ static int dtls1_process_record(SSL *s);
 #if PQ_64BIT_IS_INTEGER
 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
 #endif
-static void dtls1_clear_timeouts(SSL *s);
 
 /* copy buffered record into SSL structure */
 static int
@@ -411,8 +410,8 @@ if (        (sess == NULL) ||
                        }
                else
                        rr->length = 0;
-               s->method->ssl3_enc->mac(s,md,0);
-               if (mac == NULL || memcmp(md, mac, mac_size) != 0)
+               i=s->method->ssl3_enc->mac(s,md,0);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
                        {
                        decryption_failed_or_bad_record_mac = 1;
                        }
@@ -640,7 +639,6 @@ again:
                goto again;     /* get another record */
                }
 
-       dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
 
        }
@@ -1109,6 +1107,9 @@ start:
                 */
                if (msg_hdr.type == SSL3_MT_FINISHED)
                        {
+                       if (dtls1_check_timeout_num(s) < 0)
+                               return -1;
+
                        dtls1_retransmit_buffered_messages(s);
                        rr->length = 0;
                        goto start;
@@ -1812,10 +1813,3 @@ bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
        return _num;
        }
 #endif
-
-
-static void
-dtls1_clear_timeouts(SSL *s)
-       {
-       memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
-       }