diff options
author | Ben Laurie <ben@links.org> | 2013-01-28 17:30:38 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-02-06 14:16:55 +0000 |
commit | 7c770d572a719fa40fa9c82807a0bd3840baf4a0 (patch) | |
tree | bc4d2be0bd12ef55460d16c760d87ff9ae954aa0 /ssl | |
parent | ea34a58385058748c51037bfb2c3208ee639f5f1 (diff) | |
download | openssl-7c770d572a719fa40fa9c82807a0bd3840baf4a0.tar.gz |
Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a246d648ecddadc5b91367bee4a5d98)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/d1_pkt.c | 2 | ||||
-rw-r--r-- | ssl/s2_clnt.c | 2 | ||||
-rw-r--r-- | ssl/s2_pkt.c | 3 | ||||
-rw-r--r-- | ssl/s3_both.c | 2 | ||||
-rw-r--r-- | ssl/s3_pkt.c | 2 | ||||
-rw-r--r-- | ssl/t1_lib.c | 2 |
6 files changed, 6 insertions, 7 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 987af60835..5e2c56c983 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -463,7 +463,7 @@ printf("\n"); else rr->length = 0; i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) + if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 76b690ea13..03b6cf9673 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -939,7 +939,7 @@ static int get_server_verify(SSL *s) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ p += 1; - if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) + if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index ac963b2d47..8bb6ab8baa 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) s->s2->ract_data_length-=mac_size; ssl2_mac(s,mac,0); s->s2->ract_data_length-=s->s2->padding; - if ( (memcmp(mac,s->s2->mac_data, - (unsigned int)mac_size) != 0) || + if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 349531460d..a537738f42 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b) goto f_err; } - if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) + if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 4299af1e7c..9246ff2951 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -465,7 +465,7 @@ printf("\n"); #endif } i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0) + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a1a8badcda..92e8f88c53 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3125,7 +3125,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Update(&hctx, etick, eticklen); HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); - if (memcmp(tick_hmac, etick + eticklen, mlen)) + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ |