Use CRYPTO_memcmp when comparing authenticators

Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley
(Google).

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper 2015-05-27 17:12:13 +02:00
parent 65d3941f4a
commit 1e4a355dca
4 changed files with 8 additions and 5 deletions

View File

@ -50,6 +50,7 @@
#include <openssl/opensslconf.h> #include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_AES #ifndef OPENSSL_NO_AES
#include <openssl/crypto.h>
# include <openssl/evp.h> # include <openssl/evp.h>
# include <openssl/err.h> # include <openssl/err.h>
# include <string.h> # include <string.h>
@ -1555,7 +1556,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
/* Retrieve tag */ /* Retrieve tag */
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
/* If tag mismatch wipe buffer */ /* If tag mismatch wipe buffer */
if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
OPENSSL_cleanse(out, len); OPENSSL_cleanse(out, len);
goto err; goto err;
} }
@ -1990,7 +1991,7 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
!CRYPTO_ccm128_decrypt(ccm, in, out, len)) { !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
unsigned char tag[16]; unsigned char tag[16];
if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
if (!memcmp(tag, ctx->buf, cctx->M)) if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))
rv = len; rv = len;
} }
} }

View File

@ -54,6 +54,7 @@
#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5) #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5)
# include <openssl/crypto.h>
# include <openssl/evp.h> # include <openssl/evp.h>
# include <openssl/objects.h> # include <openssl/objects.h>
# include <openssl/rc4.h> # include <openssl/rc4.h>
@ -209,7 +210,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH); MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH);
MD5_Final(mac, &key->md); MD5_Final(mac, &key->md);
if (memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))
return 0; return 0;
} else { } else {
MD5_Update(&key->md, out + md5_off, len - md5_off); MD5_Update(&key->md, out + md5_off, len - md5_off);

View File

@ -1685,7 +1685,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
ctx->Xi.u[1] ^= ctx->EK0.u[1]; ctx->Xi.u[1] ^= ctx->EK0.u[1];
if (tag && len <= sizeof(ctx->Xi)) if (tag && len <= sizeof(ctx->Xi))
return memcmp(ctx->Xi.c, tag, len); return CRYPTO_memcmp(ctx->Xi.c, tag, len);
else else
return -1; return -1;
} }

View File

@ -59,6 +59,7 @@
# include <stdio.h> # include <stdio.h>
# include "internal/cryptlib.h" # include "internal/cryptlib.h"
#include <openssl/crypto.h>
# include <openssl/hmac.h> # include <openssl/hmac.h>
# include <openssl/rand.h> # include <openssl/rand.h>
# include <openssl/pkcs12.h> # include <openssl/pkcs12.h>
@ -123,7 +124,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
return 0; return 0;
} }
if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
|| memcmp(mac, p12->mac->dinfo->digest->data, maclen)) || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
return 0; return 0;
return 1; return 1;
} }