convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoring

libc interfaces over libcrypto interfaces. for now we also prefer timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable. ok beck deraadt matthew miod
author: tedu <> 2014-06-19 21:29:51 +0000
committer: tedu <> 2014-06-19 21:29:51 +0000
commit: 150e8864673fb3b65a00e9188f50ca6a5bae927d (patch)
tree: 7d822bfb3203433ec1d2621e3b77a893bd97b408 /src/lib/libssl/ssl_sess.c
parent: 41e038d2e8f6a205e6aa50aa0e910df4ff76ec9e (diff)
download: openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.tar.gz
openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.tar.bz2
openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 273a7d6817..9046dce7f8 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.32 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.33 2014/06/19 21:29:51 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -498,7 +498,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
        /* Now ret is non-NULL and we own one of its reference counts. */
        if (ret->sid_ctx_length != s->sid_ctx_length
-            || CRYPTO_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
+            || timingsafe_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
                /* We have the session requested by the client, but we don't
                 * want to use it in this context. */
                goto err; /* treat like cache miss */
author	tedu <>	2014-06-19 21:29:51 +0000
committer	tedu <>	2014-06-19 21:29:51 +0000
commit	150e8864673fb3b65a00e9188f50ca6a5bae927d (patch)
tree	7d822bfb3203433ec1d2621e3b77a893bd97b408 /src/lib/libssl/ssl_sess.c
parent	41e038d2e8f6a205e6aa50aa0e910df4ff76ec9e (diff)
download	openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.tar.gz openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.tar.bz2 openbsd-150e8864673fb3b65a00e9188f50ca6a5bae927d.zip

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 273a7d6817..9046dce7f8 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sess.c,v 1.32 2014/06/12 15:49:31 deraadt Exp $ */	1	/* $OpenBSD: ssl_sess.c,v 1.33 2014/06/19 21:29:51 tedu Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -498,7 +498,7 @@ ssl_get_prev_session(SSL s, unsigned char session_id, int len,
498	/* Now ret is non-NULL and we own one of its reference counts. */	498	/* Now ret is non-NULL and we own one of its reference counts. */
499		499
500	if (ret->sid_ctx_length != s->sid_ctx_length	500	if (ret->sid_ctx_length != s->sid_ctx_length
501	\|\| CRYPTO_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {	501	\|\| timingsafe_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
502	/* We have the session requested by the client, but we don't	502	/* We have the session requested by the client, but we don't
503	* want to use it in this context. */	503	* want to use it in this context. */
504	goto err; /* treat like cache miss */	504	goto err; /* treat like cache miss */