Add and use a constant-time memcmp.

This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.

diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index a7cb4202e863530efa38e66c3a3f887471cc2eac..304c6b70627b2aeb88abe71a6863cfef2302bd6f 100644 (file)
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -925,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
        }
 
 void *OPENSSL_stderr(void)     { return stderr; }
+
+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
+       {
+       size_t i;
+       const unsigned char *a = in_a;
+       const unsigned char *b = in_b;
+       unsigned char x = 0;
+
+       for (i = 0; i < len; i++)
+               x |= a[i] ^ b[i];
+
+       return x;
+       }

diff --git a/crypto/crypto.h b/crypto/crypto.h
index 61605769bb2b3d2016d156ee5f39f27aed832d24..f92fc5182d9e92f6488997db45d117f0cc1a40b2 100644 (file)
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -574,6 +574,13 @@ void OPENSSL_init(void);
 #define fips_cipher_abort(alg) while(0)
 #endif
 
+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
+ * takes an amount of time dependent on |len|, but independent of the contents
+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
+ * defined order as the return value when a != b is undefined, other than to be
+ * non-zero. */
+int CRYPTO_memcmp(const void *a, const void *b, size_t len);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.

diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 553d212ebe9c7cdacde646a92ac0250185793df2..af4d24a56ef5918def4e19e914901f5163ad48d5 100644 (file)
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
        if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
                return -1;
 
-       if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+       if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
                goto decoding_err;
        else
                {

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 987af608358d914a72fa8a4620d7faf8188d22f0..5e2c56c9833ddcb85c0286de0e2cb89c9cbf9578 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -463,7 +463,7 @@ printf("\n");
                else
                        rr->length = 0;
                i=s->method->ssl3_enc->mac(s,md,0);
-               if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
                        {
                        decryption_failed_or_bad_record_mac = 1;
                        }

diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 76b690ea1340f04bad5c9eeb25e3cc9dc43ed9cb..03b6cf9673809a7582c4c176c30a75b7e0e1b6a4 100644 (file)
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -939,7 +939,7 @@ static int get_server_verify(SSL *s)
                s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
        p += 1;
 
-       if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
+       if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
                {
                ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
                SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);

diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
index ac963b2d47d6e369adc012ffac5c8df4ddc7f4bb..8bb6ab8baa33501dcd6f0991d53ad80b3d9361aa 100644 (file)
--- a/ssl/s2_pkt.c
+++ b/ssl/s2_pkt.c
@@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
                        s->s2->ract_data_length-=mac_size;
                        ssl2_mac(s,mac,0);
                        s->s2->ract_data_length-=s->s2->padding;
-                       if (    (memcmp(mac,s->s2->mac_data,
-                               (unsigned int)mac_size) != 0) ||
+                       if (    (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
                                (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
                                {
                                SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);

diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 918da350e052b51405d29e5edbd2b350fe7cd316..ead01c82a14a09aa485b5e56b386b738403c8369 100644 (file)
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
                goto f_err;
                }
 
-       if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
+       if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
                {
                al=SSL_AD_DECRYPT_ERROR;
                SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index dca345865a10a5fae10741e009676731181fc60d..3e111406ba70252c101f1c7b2c4f53a7524e27bd 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -463,7 +463,7 @@ printf("\n");
 #endif
                        }
                i=s->method->ssl3_enc->mac(s,md,0);
-               if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
                        {
                        decryption_failed_or_bad_record_mac = 1;
                        }

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d8df062a803216f2b0489b1eb613d907542aa887..27010dd50de5e3154bb3876fc4932a60129e727a 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2226,7 +2226,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        HMAC_Update(&hctx, etick, eticklen);
        HMAC_Final(&hctx, tick_hmac, NULL);
        HMAC_CTX_cleanup(&hctx);
-       if (memcmp(tick_hmac, etick + eticklen, mlen))
+       if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
                return 2;
        /* Attempt to decrypt session data */
        /* Move p after IV to start of encrypted ticket, update length */