diff options
| author | kenjiro <> | 2025-06-03 08:42:15 +0000 |
|---|---|---|
| committer | kenjiro <> | 2025-06-03 08:42:15 +0000 |
| commit | 82cb6d2187c46a5ca3bf09876c4b839881659abc (patch) | |
| tree | 434d3918c993050065791d5dd314e69293d80c26 | |
| parent | db4ef294b026e518a37a083a9ef4d3adffea371c (diff) | |
| download | openbsd-82cb6d2187c46a5ca3bf09876c4b839881659abc.tar.gz openbsd-82cb6d2187c46a5ca3bf09876c4b839881659abc.tar.bz2 openbsd-82cb6d2187c46a5ca3bf09876c4b839881659abc.zip | |
Use timingsafe_memcmp when comparing authenticators
Replace memcmp() with timingsafe_memcmp() for authentication tag
comparison in AES-CCM, GCM, PKCS12 and AES key unwrap code paths
to ensure constant-time behavior and avoid potential timing side
channels.
This aligns with OpenSSL 1e4a355.
ok tb@
| -rw-r--r-- | src/lib/libcrypto/aes/aes.c | 4 | ||||
| -rw-r--r-- | src/lib/libcrypto/evp/e_aes.c | 6 | ||||
| -rw-r--r-- | src/lib/libcrypto/pkcs12/p12_mutl.c | 8 |
3 files changed, 9 insertions, 9 deletions
diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c index 50e4ce13cc..e630c3f81a 100644 --- a/src/lib/libcrypto/aes/aes.c +++ b/src/lib/libcrypto/aes/aes.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: aes.c,v 1.8 2025/05/25 06:27:02 jsing Exp $ */ | 1 | /* $OpenBSD: aes.c,v 1.9 2025/06/03 08:42:15 kenjiro Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -341,7 +341,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, | |||
| 341 | } | 341 | } |
| 342 | if (!iv) | 342 | if (!iv) |
| 343 | iv = aes_wrap_default_iv; | 343 | iv = aes_wrap_default_iv; |
| 344 | if (memcmp(A, iv, 8)) { | 344 | if (timingsafe_memcmp(A, iv, 8) != 0) { |
| 345 | explicit_bzero(out, inlen); | 345 | explicit_bzero(out, inlen); |
| 346 | return 0; | 346 | return 0; |
| 347 | } | 347 | } |
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index bfdfed8172..a0f192905d 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: e_aes.c,v 1.68 2025/05/19 04:32:52 jsing Exp $ */ | 1 | /* $OpenBSD: e_aes.c,v 1.69 2025/06/03 08:42:15 kenjiro Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -1557,7 +1557,7 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |||
| 1557 | CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); | 1557 | CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); |
| 1558 | 1558 | ||
| 1559 | /* If tag mismatch wipe buffer */ | 1559 | /* If tag mismatch wipe buffer */ |
| 1560 | if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { | 1560 | if (timingsafe_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN) != 0) { |
| 1561 | explicit_bzero(out, len); | 1561 | explicit_bzero(out, len); |
| 1562 | goto err; | 1562 | goto err; |
| 1563 | } | 1563 | } |
| @@ -2072,7 +2072,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | |||
| 2072 | cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { | 2072 | cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { |
| 2073 | unsigned char tag[16]; | 2073 | unsigned char tag[16]; |
| 2074 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { | 2074 | if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { |
| 2075 | if (!memcmp(tag, ctx->buf, cctx->M)) | 2075 | if (timingsafe_memcmp(tag, ctx->buf, cctx->M) == 0) |
| 2076 | rv = len; | 2076 | rv = len; |
| 2077 | } | 2077 | } |
| 2078 | } | 2078 | } |
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c index 513aa54ada..4a9d0f9757 100644 --- a/src/lib/libcrypto/pkcs12/p12_mutl.c +++ b/src/lib/libcrypto/pkcs12/p12_mutl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: p12_mutl.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */ | 1 | /* $OpenBSD: p12_mutl.c,v 1.40 2025/06/03 08:42:15 kenjiro Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 1999. | 3 | * project 1999. |
| 4 | */ | 4 | */ |
| @@ -189,10 +189,10 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) | |||
| 189 | PKCS12error(PKCS12_R_MAC_GENERATION_ERROR); | 189 | PKCS12error(PKCS12_R_MAC_GENERATION_ERROR); |
| 190 | return 0; | 190 | return 0; |
| 191 | } | 191 | } |
| 192 | if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) || | 192 | if (maclen != (unsigned int)p12->mac->dinfo->digest->length) |
| 193 | memcmp(mac, p12->mac->dinfo->digest->data, maclen)) | ||
| 194 | return 0; | 193 | return 0; |
| 195 | return 1; | 194 | |
| 195 | return timingsafe_memcmp(mac, p12->mac->dinfo->digest->data, maclen) == 0; | ||
| 196 | } | 196 | } |
| 197 | LCRYPTO_ALIAS(PKCS12_verify_mac); | 197 | LCRYPTO_ALIAS(PKCS12_verify_mac); |
| 198 | 198 | ||