From: W.C.A. Wijngaards Date: Mon, 18 Nov 2019 15:54:06 +0000 (+0100) Subject: * Detect fixed time memory compare for openssl 0.9.8. X-Git-Tag: 1.8.0-rc.1~82^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9073d9fc313b19f51a5aa160584f2bdccda637a;p=thirdparty%2Fldns.git * Detect fixed time memory compare for openssl 0.9.8. --- diff --git a/Changelog b/Changelog index 86d8f91c..aea953bd 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,7 @@ * bugfix #51: Heap Out-of-bound Read vulnerability in ldns_nsec3_salt_data reported by pokerfacett. * Fix memory leak in examples/ldns-testns handle_tcp routine. + * Detect fixed time memory compare for openssl 0.9.8. 1.7.1 2019-07-26 * bugfix: Manage verification paths for OpenSSL >= 1.1.0 diff --git a/configure.ac b/configure.ac index 9ab7dff9..a23ab6a5 100644 --- a/configure.ac +++ b/configure.ac @@ -332,7 +332,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings]) +AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings CRYPTO_memcmp]) # for macosx, see if glibtool exists and use that # BSD's need to know the version... diff --git a/tsig.c b/tsig.c index 458861a1..c3c265b0 100644 --- a/tsig.c +++ b/tsig.c @@ -354,7 +354,13 @@ ldns_pkt_tsig_verify_next(ldns_pkt *pkt, const uint8_t *wire, size_t wirelen, co return false; } /* use time insensitive memory compare */ - if(CRYPTO_memcmp(ldns_rdf_data(pkt_mac_rdf), ldns_rdf_data(my_mac_rdf), + if( +#ifdef HAVE_CRYPTO_MEMCMP + CRYPTO_memcmp +#else + memcmp +#endif + (ldns_rdf_data(pkt_mac_rdf), ldns_rdf_data(my_mac_rdf), ldns_rdf_size(my_mac_rdf)) == 0) { ldns_rdf_deep_free(my_mac_rdf); return true;