From 59b5ab4aa72527ce74dbe1a83988f194053293de Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Wed, 27 May 2015 17:12:13 +0200 Subject: [PATCH] Use CRYPTO_memcmp when comparing authenticators Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley (Google). Reviewed-by: Rich Salz (cherry picked from commit 1e4a355dcabe2f75df5bb8b41b394d37037169d2) (cherry picked from commit ac32a77cd69784568090e934a31622ddfee49ca7) --- crypto/evp/e_aes.c | 5 +++-- crypto/evp/e_rc4_hmac_md5.c | 3 ++- crypto/modes/gcm128.c | 2 +- crypto/pkcs12/p12_mutl.c | 3 ++- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index bde480481d..1ede7bd39e 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -50,6 +50,7 @@ #include #ifndef OPENSSL_NO_AES +#include # include # include # include @@ -914,7 +915,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* Retrieve tag */ CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); /* If tag mismatch wipe buffer */ - if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { + if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { OPENSSL_cleanse(out, len); goto err; } @@ -1259,7 +1260,7 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { unsigned char tag[16]; if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { - if (!memcmp(tag, ctx->buf, cctx->M)) + if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M)) rv = len; } } diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index e6b0cdff43..2da1117829 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -54,6 +54,7 @@ #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5) +# include # include # include # include @@ -210,7 +211,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH); MD5_Final(mac, &key->md); - if (memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) + if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) return 0; } else { MD5_Update(&key->md, out + md5_off, len - md5_off); diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index f69f2c9db6..0ee569fb7a 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1622,7 +1622,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, ctx->Xi.u[1] ^= ctx->EK0.u[1]; if (tag && len <= sizeof(ctx->Xi)) - return memcmp(ctx->Xi.c, tag, len); + return CRYPTO_memcmp(ctx->Xi.c, tag, len); else return -1; } diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 256b210cce..5ab4bf290e 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -60,6 +60,7 @@ #ifndef OPENSSL_NO_HMAC # include # include "cryptlib.h" +# include # include # include # include @@ -123,7 +124,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) return 0; } if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) - || memcmp(mac, p12->mac->dinfo->digest->data, maclen)) + || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen)) return 0; return 1; } -- 2.25.1