From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Tue, 19 Mar 2013 13:01:50 +0100 Subject: [PATCH] Use constant time memcmp when comparing HMACs in openvpn_decrypt. Signed-off-by: Steffan Karger Acked-by: Gert Doering Signed-off-by: Gert Doering --- src/openvpn/buffer.h | 8 ++++++++ src/openvpn/crypto.c | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 7cae733..93efb09 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) } } +/** + * Compare src buffer contents with match. + * *NOT* constant time. Do not use when comparing HMACs. + */ static inline bool buf_string_match (const struct buffer *src, const void *match, int size) { @@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) return memcmp (BPTR (src), match, size) == 0; } +/** + * Compare first size bytes of src buffer contents with match. + * *NOT* constant time. Do not use when comparing HMACs. + */ static inline bool buf_string_match_head (const struct buffer *src, const void *match, int size) { diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 405c0aa..d9adf5b 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -65,6 +65,24 @@ #define CRYPT_ERROR(format) \ do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) +/** + * As memcmp(), but constant-time. + * Returns 0 when data is equal, non-zero otherwise. + */ +static int +memcmp_constant_time (const void *a, const void *b, size_t size) { + const uint8_t * a1 = a; + const uint8_t * b1 = b; + int ret = 0; + size_t i; + + for (i = 0; i < size; i++) { + ret |= *a1++ ^ *b1++; + } + + return ret; +} + void openvpn_encrypt (struct buffer *buf, struct buffer work, const struct crypto_options *opt, @@ -244,7 +262,7 @@ hmac_ctx_final (ctx->hmac, local_hmac); /* Compare locally computed HMAC with packet HMAC */ - if (memcmp (local_hmac, BPTR (buf), hmac_len)) + if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) CRYPT_ERROR ("packet HMAC authentication failed"); ASSERT (buf_advance (buf, hmac_len)); -- 1.8.1.6