Make CBC decoding constant time.

[openssl.git] / ssl / ssl3.h

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index b9a85effa0058b1ad7b84e7ae7193057a8c4e372..7709effe3ece79c838c68c95bdb601f11f5ef605 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -304,6 +304,10 @@ typedef struct ssl3_record_st
 /*r */ unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  PQ_64BIT seq_num;       /* sequence number, needed by DTLS1 */
+/*rw*/ unsigned int orig_len;  /* How many bytes were available before padding
+                                  was removed? This is used to implement the
+                                  MAC check in constant time for CBC records.
+                                */
        } SSL3_RECORD;
 
 typedef struct ssl3_buffer_st