Commit 1e4a355d authored by Emilia Kasper's avatar Emilia Kasper
Browse files

Use CRYPTO_memcmp when comparing authenticators 



Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley
(Google).

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 65d3941f

crypto/evp/e_aes.c

+3 −2
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ 


#include <openssl/opensslconf.h>

#ifndef OPENSSL_NO_AES

#include <openssl/crypto.h>

# include <openssl/evp.h>

# include <openssl/err.h>

# include <string.h>
@@ -1555,7 +1556,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
        /* Retrieve tag */

        CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);

        /* If tag mismatch wipe buffer */

        if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {

        if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {

            OPENSSL_cleanse(out, len);

            goto err;

        }
@@ -1990,7 +1991,7 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
            !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {

            unsigned char tag[16];

            if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {

                if (!memcmp(tag, ctx->buf, cctx->M))

                if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))

                    rv = len;

            }

        }

crypto/evp/e_rc4_hmac_md5.c

+2 −1
Original line number Diff line number Diff line
@@ -54,6 +54,7 @@ 


#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5)



# include <openssl/crypto.h>

# include <openssl/evp.h>

# include <openssl/objects.h>

# include <openssl/rc4.h>
@@ -209,7 +210,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 
            MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH);

            MD5_Final(mac, &key->md);



            if (memcmp(out + plen, mac, MD5_DIGEST_LENGTH))

            if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH))

                return 0;

        } else {

            MD5_Update(&key->md, out + md5_off, len - md5_off);

crypto/modes/gcm128.c

+1 −1
Original line number Diff line number Diff line
@@ -1685,7 +1685,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, 
    ctx->Xi.u[1] ^= ctx->EK0.u[1];



    if (tag && len <= sizeof(ctx->Xi))

        return memcmp(ctx->Xi.c, tag, len);

        return CRYPTO_memcmp(ctx->Xi.c, tag, len);

    else

        return -1;

}

crypto/pkcs12/p12_mutl.c

+2 −1
Original line number Diff line number Diff line
@@ -59,6 +59,7 @@ 


# include <stdio.h>

# include "internal/cryptlib.h"

#include <openssl/crypto.h>

# include <openssl/hmac.h>

# include <openssl/rand.h>

# include <openssl/pkcs12.h>
@@ -123,7 +124,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) 
        return 0;

    }

    if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)

        || memcmp(mac, p12->mac->dinfo->digest->data, maclen))

        || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))

        return 0;

    return 1;

}