From 0fc5b6d312fea35d788e92ffc5a6dc32638d32bc Mon Sep 17 00:00:00 2001 From: kenjiro <> Date: Tue, 3 Jun 2025 08:42:15 +0000 Subject: Use timingsafe_memcmp when comparing authenticators Replace memcmp() with timingsafe_memcmp() for authentication tag comparison in AES-CCM, GCM, PKCS12 and AES key unwrap code paths to ensure constant-time behavior and avoid potential timing side channels. This aligns with OpenSSL 1e4a355. ok tb@ --- src/lib/libcrypto/aes/aes.c | 4 ++-- src/lib/libcrypto/evp/e_aes.c | 6 +++--- src/lib/libcrypto/pkcs12/p12_mutl.c | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c index 50e4ce13cc..e630c3f81a 100644 --- a/src/lib/libcrypto/aes/aes.c +++ b/src/lib/libcrypto/aes/aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes.c,v 1.8 2025/05/25 06:27:02 jsing Exp $ */ +/* $OpenBSD: aes.c,v 1.9 2025/06/03 08:42:15 kenjiro Exp $ */ /* ==================================================================== * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. * @@ -341,7 +341,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, } if (!iv) iv = aes_wrap_default_iv; - if (memcmp(A, iv, 8)) { + if (timingsafe_memcmp(A, iv, 8) != 0) { explicit_bzero(out, inlen); return 0; } diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c index bfdfed8172..a0f192905d 100644 --- a/src/lib/libcrypto/evp/e_aes.c +++ b/src/lib/libcrypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.68 2025/05/19 04:32:52 jsing Exp $ */ +/* $OpenBSD: e_aes.c,v 1.69 2025/06/03 08:42:15 kenjiro Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -1557,7 +1557,7 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); /* If tag mismatch wipe buffer */ - if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { + if (timingsafe_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN) != 0) { explicit_bzero(out, len); goto err; } @@ -2072,7 +2072,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { unsigned char tag[16]; if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { - if (!memcmp(tag, ctx->buf, cctx->M)) + if (timingsafe_memcmp(tag, ctx->buf, cctx->M) == 0) rv = len; } } diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c index 513aa54ada..4a9d0f9757 100644 --- a/src/lib/libcrypto/pkcs12/p12_mutl.c +++ b/src/lib/libcrypto/pkcs12/p12_mutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_mutl.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */ +/* $OpenBSD: p12_mutl.c,v 1.40 2025/06/03 08:42:15 kenjiro Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -189,10 +189,10 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) PKCS12error(PKCS12_R_MAC_GENERATION_ERROR); return 0; } - if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) || - memcmp(mac, p12->mac->dinfo->digest->data, maclen)) + if (maclen != (unsigned int)p12->mac->dinfo->digest->length) return 0; - return 1; + + return timingsafe_memcmp(mac, p12->mac->dinfo->digest->data, maclen) == 0; } LCRYPTO_ALIAS(PKCS12_verify_mac); -- cgit v1.2.3-55-g6feb