diff options
author | Ben Laurie <ben@links.org> | 2013-01-28 17:30:38 +0000 |
---|---|---|
committer | Ben Laurie <ben@links.org> | 2013-01-28 17:30:38 +0000 |
commit | 2ee798880a246d648ecddadc5b91367bee4a5d98 (patch) | |
tree | 519fae50d830922bb0f0cf55bd8da81f373e6395 /ssl | |
parent | ffcf4c61641068918e36b738b9464a16d0488e43 (diff) |
Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/d1_pkt.c | 2 | ||||
-rw-r--r-- | ssl/s2_clnt.c | 2 | ||||
-rw-r--r-- | ssl/s2_pkt.c | 3 | ||||
-rw-r--r-- | ssl/s3_both.c | 2 | ||||
-rw-r--r-- | ssl/s3_pkt.c | 2 | ||||
-rw-r--r-- | ssl/t1_lib.c | 2 |
6 files changed, 6 insertions, 7 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 987af60835..5e2c56c983 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -463,7 +463,7 @@ printf("\n"); else rr->length = 0; i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) + if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 76b690ea13..03b6cf9673 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -939,7 +939,7 @@ static int get_server_verify(SSL *s) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ p += 1; - if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) + if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index ac963b2d47..8bb6ab8baa 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) s->s2->ract_data_length-=mac_size; ssl2_mac(s,mac,0); s->s2->ract_data_length-=s->s2->padding; - if ( (memcmp(mac,s->s2->mac_data, - (unsigned int)mac_size) != 0) || + if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 918da350e0..ead01c82a1 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b) goto f_err; } - if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) + if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index dca345865a..3e111406ba 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -463,7 +463,7 @@ printf("\n"); #endif } i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0) + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { decryption_failed_or_bad_record_mac = 1; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d8df062a80..27010dd50d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2226,7 +2226,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Update(&hctx, etick, eticklen); HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); - if (memcmp(tick_hmac, etick + eticklen, mlen)) + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ |