TLS: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
index 381b7a03879f1f4362a0d7dcccf200d8203df946..141ac50df401d2cf872866ad6025660f20097f3a 100644 (file)
--- a/src/tls/pkcs1.c
+++ b/src/tls/pkcs1.c
@@ -298,7 +298,7 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
                    hdr.payload, hdr.length);
 
        if (hdr.length != hash_len ||
-           os_memcmp(hdr.payload, hash, hdr.length) != 0) {
+           os_memcmp_const(hdr.payload, hash, hdr.length) != 0) {
                wpa_printf(MSG_INFO, "PKCS #1: Digest value does not match calculated hash");
                os_free(decrypted);
                return -1;

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index f78921d9864f51eb1b1c83da2fbe3f5fba4d8780..4f08e0f9d204fc2139759382c9b532f3ace1a888 100644 (file)
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -962,7 +962,7 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)",
                        verify_data, TLS_VERIFY_DATA_LEN);
 
-       if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
+       if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
                wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data");
                tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
                          TLS_ALERT_DECRYPT_ERROR);

diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c
index 8a4645bf2b2d1779e04752b554289332f3b08cc0..ced28cff46fb652825f5a0fbab96365cae8c5b28 100644 (file)
--- a/src/tls/tlsv1_common.c
+++ b/src/tls/tlsv1_common.c
@@ -481,7 +481,8 @@ int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
        }
 #endif /* CONFIG_TLSV12 */
 
-       if (buflen != data_len || os_memcmp(decrypted, data, data_len) != 0) {
+       if (buflen != data_len ||
+           os_memcmp_const(decrypted, data, data_len) != 0) {
                wpa_printf(MSG_DEBUG, "TLSv1: Invalid Signature in CertificateVerify - did not match calculated hash");
                os_free(buf);
                *alert = TLS_ALERT_DECRYPT_ERROR;

diff --git a/src/tls/tlsv1_record.c b/src/tls/tlsv1_record.c
index 3bec3be36f073ed8c7fdab07a1584f1913e36303..0c6897a8fc23b031ffb8d1e4c6c9b591e5df63d3 100644 (file)
--- a/src/tls/tlsv1_record.c
+++ b/src/tls/tlsv1_record.c
@@ -456,7 +456,7 @@ int tlsv1_record_receive(struct tlsv1_record_layer *rl,
                        return -1;
                }
                if (hlen != rl->hash_size ||
-                   os_memcmp(hash, out_data + plen, hlen) != 0 ||
+                   os_memcmp_const(hash, out_data + plen, hlen) != 0 ||
                    force_mac_error) {
                        wpa_printf(MSG_DEBUG, "TLSv1: Invalid HMAC value in "
                                   "received message (force_mac_error=%d)",

diff --git a/src/tls/tlsv1_server_read.c b/src/tls/tlsv1_server_read.c
index c34545ed5f6f002eca05ecbc5a542328a803ec80..728e137254d2c2a8bb7d216791aec369358e72e3 100644 (file)
--- a/src/tls/tlsv1_server_read.c
+++ b/src/tls/tlsv1_server_read.c
@@ -1135,7 +1135,7 @@ static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
        wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)",
                        verify_data, TLS_VERIFY_DATA_LEN);
 
-       if (os_memcmp(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
+       if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) {
                tlsv1_server_log(conn, "Mismatch in verify_data");
                return -1;
        }

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 751a268e1caf27ba4612cd47bb07d3a15e07f2e9..e1e4df8de188bddd34c2e212e275284fa80b1908 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1776,7 +1776,7 @@ skip_digest_oid:
        }
 
        if (hdr.length != hash_len ||
-           os_memcmp(hdr.payload, hash, hdr.length) != 0) {
+           os_memcmp_const(hdr.payload, hash, hdr.length) != 0) {
                wpa_printf(MSG_INFO, "X509: Certificate Digest does not match "
                           "with calculated tbsCertificate hash");
                os_free(data);