From 479de5a211b440edaafc0ff7ebd4a052f1b29215 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 6 Mar 2026 17:56:33 +0100 Subject: [PATCH] Always eval both ConstantCompare statements --- src/tls.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/tls.c b/src/tls.c index 0a5032c57c..fb5b766dd3 100644 --- a/src/tls.c +++ b/src/tls.c @@ -6072,15 +6072,16 @@ static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, const byte* input, } else if (*input == 2 * TLS_FINISHED_SZ && length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) { + int cmpRes = 0; input++; /* get past size */ - + cmpRes |= ConstantCompare(input, + ssl->secure_renegotiation->client_verify_data, + TLS_FINISHED_SZ); + cmpRes |= ConstantCompare(input + TLS_FINISHED_SZ, + ssl->secure_renegotiation->server_verify_data, + TLS_FINISHED_SZ); /* validate client and server verify data */ - if (ConstantCompare(input, - ssl->secure_renegotiation->client_verify_data, - TLS_FINISHED_SZ) == 0 && - ConstantCompare(input + TLS_FINISHED_SZ, - ssl->secure_renegotiation->server_verify_data, - TLS_FINISHED_SZ) == 0) { + if (cmpRes == 0) { WOLFSSL_MSG("SCR client and server verify data match"); ret = 0; /* verified */ }