Use constant-time comparisons for checksums

diff --git a/src/lib/crypto/krb/checksum_confounder.c b/src/lib/crypto/krb/checksum_confounder.c
index 31c7cd364655520cd764737c6668d8037f628dd1..34941562c4166dbbc558d6f6fbad47bbd5ad02e0 100644 (file)
--- a/src/lib/crypto/krb/checksum_confounder.c
+++ b/src/lib/crypto/krb/checksum_confounder.c
@@ -148,7 +148,7 @@ krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp,
         goto cleanup;
 
     /* Compare the decrypted hash to the computed one. */
-    *valid = (memcmp(plaintext + blocksize, computed.data, hashsize) == 0);
+    *valid = (k5_bcmp(plaintext + blocksize, computed.data, hashsize) == 0);
 
 cleanup:
     zapfree(plaintext, input->length);

diff --git a/src/lib/crypto/krb/enc_dk_cmac.c b/src/lib/crypto/krb/enc_dk_cmac.c
index e27c862ad16dbd83f040ea64dbf61435408c7c79..9bb3dbaecd4ea21a152811eb6dce81207fe6a140 100644 (file)
--- a/src/lib/crypto/krb/enc_dk_cmac.c
+++ b/src/lib/crypto/krb/enc_dk_cmac.c
@@ -169,7 +169,7 @@ krb5int_dk_cmac_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
     ret = krb5int_cmac_checksum(enc, ki, data, num_data, &cksum);
     if (ret != 0)
         goto cleanup;
-    if (!data_eq(cksum, trailer->data))
+    if (k5_bcmp(cksum.data, trailer->data.data, enc->block_size) != 0)
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 
 cleanup:

diff --git a/src/lib/crypto/krb/enc_dk_hmac.c b/src/lib/crypto/krb/enc_dk_hmac.c
index 217aa88f684c8d51aee51e233b4a32e2ddac6222..f16459ec21544ee7902774254b6ad02b71448f16 100644 (file)
--- a/src/lib/crypto/krb/enc_dk_hmac.c
+++ b/src/lib/crypto/krb/enc_dk_hmac.c
@@ -256,7 +256,7 @@ krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
         goto cleanup;
 
     /* Compare only the possibly truncated length. */
-    if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
+    if (k5_bcmp(cksum, trailer->data.data, hmacsize) != 0) {
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
         goto cleanup;
     }

diff --git a/src/lib/crypto/krb/enc_old.c b/src/lib/crypto/krb/enc_old.c
index a40f7094253acb0c02618772d306d2f1284b3b67..1b02a59157e41d4329eb1967c5e5ab70b438aa1b 100644 (file)
--- a/src/lib/crypto/krb/enc_old.c
+++ b/src/lib/crypto/krb/enc_old.c
@@ -169,7 +169,7 @@ krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
      * the saved checksum.
      */
     ret = hash->hash(data, num_data, &checksum);
-    if (memcmp(checksum.data, saved_checksum, checksum.length) != 0) {
+    if (k5_bcmp(checksum.data, saved_checksum, checksum.length) != 0) {
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
         goto cleanup;
     }

diff --git a/src/lib/crypto/krb/enc_rc4.c b/src/lib/crypto/krb/enc_rc4.c
index 265e3c1d038ce7c298876cdc8fb0e553947bddd4..aac8508b137cc899c577016e834a655f04803d88 100644 (file)
--- a/src/lib/crypto/krb/enc_rc4.c
+++ b/src/lib/crypto/krb/enc_rc4.c
@@ -277,7 +277,7 @@ krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
         if (ret != 0)
             goto cleanup;
 
-        if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) {
+        if (k5_bcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) {
             if (usage == 9) {
                 /*
                  * RFC 4757 specifies usage 8 for TGS-REP encrypted parts

diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c
index efa2adcaadb10b29dffa4d9c2fc4f2559238b75d..fc76c0e269f4a44ff6f5f4291cf3ef25eddb3c31 100644 (file)
--- a/src/lib/crypto/krb/verify_checksum_iov.c
+++ b/src/lib/crypto/krb/verify_checksum_iov.c
@@ -71,8 +71,8 @@ krb5_k_verify_checksum_iov(krb5_context context,
 
     ret = ctp->checksum(ctp, key, usage, data, num_data, &computed);
     if (ret == 0) {
-        *valid = (memcmp(computed.data, checksum->data.data,
-                         ctp->output_size) == 0);
+        *valid = (k5_bcmp(computed.data, checksum->data.data,
+                          ctp->output_size) == 0);
     }
 
     zapfree(computed.data, ctp->compute_size);

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index aae74fcd11c85b4c32b2753850d09b5db859b296..ca21d43a959beb28bc576156a1a8d743445c0a21 100644 (file)
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -309,7 +309,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             cksum.length = 16;
         cksum.contents = md5cksum.contents + 16 - cksum.length;
 
-        code = memcmp(cksum.contents, ptr+14, cksum.length);
+        code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
         break;
 
     case SGN_ALG_MD2_5:
@@ -353,7 +353,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             return(GSS_S_FAILURE);
         }
 
-        code = memcmp(md5cksum.contents, ptr+14, 8);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, 8);
         /* Falls through to defective-token??  */
 
     default:
@@ -393,7 +393,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
             return(GSS_S_FAILURE);
         }
 
-        code = memcmp(md5cksum.contents, ptr+14, cksum_len);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
         break;
     }
 

diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 24853abeca0ab872cd57fa3192940eb428724851..e34bda4754ba7ffed18333033da07153d90a460d 100644 (file)
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -234,11 +234,11 @@ kg_unseal_v1_iov(krb5_context context,
         cksum.length = cksum_len;
         cksum.contents = md5cksum.contents + 16 - cksum.length;
 
-        code = memcmp(cksum.contents, ptr + 14, cksum.length);
+        code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
         break;
     case SGN_ALG_HMAC_SHA1_DES3_KD:
     case SGN_ALG_HMAC_MD5:
-        code = memcmp(md5cksum.contents, ptr + 14, cksum_len);
+        code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
         break;
     default:
         code = 0;

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 9d7d7bd6e74a2afb5d3231b385f302f8e6753922..bfa25ae611bc43d31eae8e94ee22d95ba33133c5 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -903,8 +903,8 @@ pkinit_as_rep_parse(krb5_context context,
         }
 
         if ((cksum.length != key_pack->asChecksum.length) ||
-            memcmp(cksum.contents, key_pack->asChecksum.contents,
-                   cksum.length)) {
+            k5_bcmp(cksum.contents, key_pack->asChecksum.contents,
+                    cksum.length) != 0) {
             TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(context, &cksum,
                                                   &key_pack->asChecksum);
             pkiDebug("failed to match the checksums\n");

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 640e835ca87be10d98a290e7a835586f8187a864..1179216b5ee680fbc9f8c170d246309ce593fced 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -461,9 +461,9 @@ pkinit_server_verify_padata(krb5_context context,
             goto cleanup;
         }
         if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length ||
-            memcmp(cksum.contents,
-                   auth_pack->pkAuthenticator.paChecksum.contents,
-                   cksum.length)) {
+            k5_bcmp(cksum.contents,
+                    auth_pack->pkAuthenticator.paChecksum.contents,
+                    cksum.length) != 0) {
             pkiDebug("failed to match the checksum\n");
 #ifdef DEBUG_CKSUM
             pkiDebug("calculating checksum on buf size (%d)\n",