From 05d0d33cb8dba34ebc6b8eb627d0f31bdcb74e71 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 17 Aug 2015 18:31:11 -0700 Subject: [PATCH] [v9_9] timing safe memory comparisons 4183. [cleanup] Use timing-safe memory comparisons in cryptographic code. Also, the timing-safe comparison functions have been renamed to avoid possible confusion with memcmp(). [RT #40148] (cherry picked from commit 420a43c8d8028992a4e9c170022f97bfac689025) --- CHANGES | 5 +++++ bin/dig/dighost.c | 1 + bin/dnssec/dnssec-signzone.c | 9 ++++---- lib/dns/client.c | 3 +-- lib/dns/hmac_link.c | 12 +++++----- lib/dns/nsec3.c | 5 +++-- lib/dns/opensslgost_link.c | 5 ++--- lib/dns/opensslrsa_link.c | 5 +++-- lib/dns/spnego.c | 31 +++++++++++++------------- lib/isc/hmacmd5.c | 2 +- lib/isc/hmacsha.c | 10 ++++----- lib/isc/include/isc/safe.h | 12 ++++++++-- lib/isc/safe.c | 34 ++++++++++++++++++++++++---- lib/isc/tests/safe_test.c | 43 +++++++++++++++++++++++++++--------- lib/isccc/cc.c | 4 ++-- 15 files changed, 122 insertions(+), 59 deletions(-) diff --git a/CHANGES b/CHANGES index 1dc6e40523a..c527f44568e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4183. [cleanup] Use timing-safe memory comparisons in cryptographic + code. Also, the timing-safe comparison functions have + been renamed to avoid possible confusion with + memcmp(). [RT #40148] + 4182. [cleanup] Use mnemonics for RR class and type comparisons. [RT #40297] diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 74085149ee0..45dac2f5a11 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -85,6 +85,7 @@ #include #include #include +#include #include #include #include diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index d0602fe2eca..6ef8e44b9d3 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -760,7 +761,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { - return (memcmp(a, b, hash_length + 1)); + return (isc_safe_memcompare(a, b, hash_length + 1)); } static void @@ -787,7 +788,7 @@ hashlist_hasdup(hashlist_t *l) { next += l->length; if (next[l->length-1] != 0) continue; - if (memcmp(current, next, l->length - 1) == 0) + if (isc_safe_memequal(current, next, l->length - 1)) return (ISC_TRUE); current = next; } @@ -2011,7 +2012,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, if (exists && nsec3.hash == hashalg && nsec3.iterations == iterations && nsec3.salt_length == salt_len && - !memcmp(nsec3.salt, salt, salt_len)) + isc_safe_memequal(nsec3.salt, salt, salt_len)) continue; dns_rdatalist_init(&rdatalist); rdatalist.rdclass = rdata.rdclass; @@ -2670,7 +2671,7 @@ set_nsec3params(isc_boolean_t update, isc_boolean_t set_salt, if (!update && set_salt) { if (salt_length != orig_saltlen || - memcmp(saltbuf, orig_salt, salt_length) != 0) + !isc_safe_memequal(saltbuf, orig_salt, salt_length)) fatal("An NSEC3 chain exists with a different salt. " "Use -u to update it."); } else if (!set_salt) { diff --git a/lib/dns/client.c b/lib/dns/client.c index cee4fb268d7..22df05dd049 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.14 2011/03/12 04:59:47 tbox Exp $ */ - #include #include @@ -23,6 +21,7 @@ #include #include #include +#include #include #include #include diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 1edf4780fea..690301d7c23 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -417,7 +417,7 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -695,7 +695,7 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -975,7 +975,7 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -1255,7 +1255,7 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -1535,7 +1535,7 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH)) + if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 11ae837a54a..74ab9ddf649 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -25,6 +25,7 @@ #include #include #include +#include #include @@ -1929,7 +1930,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, * Work out what this NSEC3 covers. * Inside (<0) or outside (>=0). */ - scope = memcmp(owner, nsec3.next, nsec3.next_length); + scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); /* * Prepare to compute all the hashes. @@ -1954,7 +1955,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, return (ISC_R_IGNORE); } - order = memcmp(hash, owner, length); + order = isc_safe_memcompare(hash, owner, length); if (first && order == 0) { /* * The hashes are the same. diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c index a01e9f32bb2..2bd1bb1484b 100644 --- a/lib/dns/opensslgost_link.c +++ b/lib/dns/opensslgost_link.c @@ -14,14 +14,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: opensslgost_link.c,v 1.5 2011/01/19 23:47:12 tbox Exp $ */ - #include #ifdef HAVE_OPENSSL_GOST #include #include +#include #include #include @@ -253,7 +252,7 @@ opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) { p = der; len = i2d_PUBKEY(pkey, &p); INSIST(len == sizeof(der)); - INSIST(memcmp(gost_prefix, der, 37) == 0); + INSIST(isc_safe_memequal(gost_prefix, der, 37)); memmove(r.base, der + 37, 64); isc_buffer_add(data, 64); diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index b621b3d322e..dc3d7e5aa11 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -650,9 +650,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { DST_R_VERIFYFAILURE)); if (status != (int)(prefixlen + digestlen)) return (DST_R_VERIFYFAILURE); - if (memcmp(original, prefix, prefixlen)) + if (!isc_safe_memequal(original, prefix, prefixlen)) return (DST_R_VERIFYFAILURE); - if (memcmp(original + prefixlen, digest, digestlen)) + if (!isc_safe_memequal(original + prefixlen, + digest, digestlen)) return (DST_R_VERIFYFAILURE); status = 1; } diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c index 6ae1123018f..0de332fc6a6 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /*! \file * \brief * Portable SPNEGO implementation. @@ -146,6 +144,7 @@ #include #include #include +#include #include #include #include @@ -395,7 +394,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) if (((OM_uint32) *p++) != gssoid->length) return (GSS_S_DEFECTIVE_TOKEN); - return (memcmp(p, gssoid->elements, gssoid->length)); + return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); } /* accept_sec_context.c */ @@ -635,16 +634,18 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status, return (GSS_S_DEFECTIVE_TOKEN); } if (mech_len == GSS_KRB5_MECH->length && - memcmp(GSS_KRB5_MECH->elements, - mechbuf + sizeof(mechbuf) - mech_len, - mech_len) == 0) { + isc_safe_memequal(GSS_KRB5_MECH->elements, + mechbuf + sizeof(mechbuf) - mech_len, + mech_len)) + { found = 1; break; } if (mech_len == GSS_MSKRB5_MECH->length && - memcmp(GSS_MSKRB5_MECH->elements, - mechbuf + sizeof(mechbuf) - mech_len, - mech_len) == 0) { + isc_safe_memequal(GSS_MSKRB5_MECH->elements, + mechbuf + sizeof(mechbuf) - mech_len, + mech_len)) + { found = 1; if (i == 0) pref = GSS_MSKRB5_MECH; @@ -715,7 +716,7 @@ gssapi_verify_mech_header(u_char ** str, p += foo; if (mech_len != mech->length) return (GSS_S_BAD_MECH); - if (memcmp(p, mech->elements, mech->length) != 0) + if (!isc_safe_memequal(p, mech->elements, mech->length)) return (GSS_S_BAD_MECH); p += mech_len; *str = p; @@ -1668,7 +1669,7 @@ spnego_reply(OM_uint32 *minor_status, buf = input_token->value; buf_size = input_token->length; } else if ((size_t)mech_len == GSS_KRB5_MECH->length && - memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0) + isc_safe_memequal(GSS_KRB5_MECH->elements, p, mech_len)) return (gss_init_sec_context(minor_status, initiator_cred_handle, context_handle, @@ -1683,7 +1684,7 @@ spnego_reply(OM_uint32 *minor_status, ret_flags, time_rec)); else if ((size_t)mech_len == GSS_SPNEGO_MECH->length && - memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) { + isc_safe_memequal(GSS_SPNEGO_MECH->elements, p, mech_len)) { ret = gssapi_spnego_decapsulate(minor_status, input_token, &buf, @@ -1721,9 +1722,9 @@ spnego_reply(OM_uint32 *minor_status, resp.supportedMech, &oidlen); if (ret || oidlen != GSS_KRB5_MECH->length || - memcmp(oidbuf + sizeof(oidbuf) - oidlen, - GSS_KRB5_MECH->elements, - oidlen) != 0) { + !isc_safe_memequal(oidbuf + sizeof(oidbuf) - oidlen, + GSS_KRB5_MECH->elements, oidlen)) + { free_NegTokenResp(&resp); return GSS_S_BAD_MECH; } diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index 9c10532c53c..e054c08a973 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -159,5 +159,5 @@ isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_MD5_DIGESTLENGTH); isc_hmacmd5_sign(ctx, newdigest); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index 1f72330d35c..9491dd9d417 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -604,7 +604,7 @@ isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } /* @@ -617,7 +617,7 @@ isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } /* @@ -630,7 +630,7 @@ isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } /* @@ -643,7 +643,7 @@ isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } /* @@ -656,5 +656,5 @@ isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH); - return (isc_safe_memcmp(digest, newdigest, len)); + return (isc_safe_memequal(digest, newdigest, len)); } diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h index 89d56def73f..b2495e962fd 100644 --- a/lib/isc/include/isc/safe.h +++ b/lib/isc/include/isc/safe.h @@ -26,9 +26,17 @@ ISC_LANG_BEGINDECLS isc_boolean_t -isc_safe_memcmp(const void *s1, const void *s2, size_t n); +isc_safe_memequal(const void *s1, const void *s2, size_t n); /*%< - * Clone of libc memcmp() safe to differential timing attacks. + * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise + * ISC_FALSE. + * + */ + +int +isc_safe_memcompare(const void *b1, const void *b2, size_t len); +/*%< + * Clone of libc memcmp() which is safe to differential timing attacks. */ ISC_LANG_ENDDECLS diff --git a/lib/isc/safe.c b/lib/isc/safe.c index fd276871887..a6d010ff649 100644 --- a/lib/isc/safe.c +++ b/lib/isc/safe.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2014 Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - /*! \file */ #include @@ -28,7 +27,7 @@ #endif isc_boolean_t -isc_safe_memcmp(const void *s1, const void *s2, size_t n) { +isc_safe_memequal(const void *s1, const void *s2, size_t n) { isc_uint8_t acc = 0; if (n != 0U) { @@ -40,3 +39,30 @@ isc_safe_memcmp(const void *s1, const void *s2, size_t n) { } return (ISC_TF(acc == 0)); } + + +int +isc_safe_memcompare(const void *b1, const void *b2, size_t len) { + const unsigned char *p1 = b1, *p2 = b2; + size_t i; + int res = 0, done = 0; + + for (i = 0; i < len; i++) { + /* lt is -1 if p1[i] < p2[i]; else 0. */ + int lt = (p1[i] - p2[i]) >> CHAR_BIT; + + /* gt is -1 if p1[i] > p2[i]; else 0. */ + int gt = (p2[i] - p1[i]) >> CHAR_BIT; + + /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ + int cmp = lt - gt; + + /* set res = cmp if !done. */ + res |= cmp & ~done; + + /* set done if p1[i] != p2[i]. */ + done |= lt | gt; + } + + return (res); +} diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c index 7b7ac39926e..113ec8efc5b 100644 --- a/lib/isc/tests/safe_test.c +++ b/lib/isc/tests/safe_test.c @@ -28,25 +28,46 @@ #include #include -ATF_TC(isc_safe_memcmp); -ATF_TC_HEAD(isc_safe_memcmp, tc) { - atf_tc_set_md_var(tc, "descr", "safe memcmp()"); +ATF_TC(isc_safe_memequal); +ATF_TC_HEAD(isc_safe_memequal, tc) { + atf_tc_set_md_var(tc, "descr", "safe memequal()"); } -ATF_TC_BODY(isc_safe_memcmp, tc) { +ATF_TC_BODY(isc_safe_memequal, tc) { UNUSED(tc); - ATF_CHECK(isc_safe_memcmp("test", "test", 4)); - ATF_CHECK(!isc_safe_memcmp("test", "tesc", 4)); - ATF_CHECK(isc_safe_memcmp("\x00\x00\x00\x00", "\x00\x00\x00\x00", 4)); - ATF_CHECK(!isc_safe_memcmp("\x00\x00\x00\x00", "\x00\x00\x00\x01", 4)); - ATF_CHECK(!isc_safe_memcmp("\x00\x00\x00\x02", "\x00\x00\x00\x00", 4)); + ATF_CHECK(isc_safe_memequal("test", "test", 4)); + ATF_CHECK(!isc_safe_memequal("test", "tesc", 4)); + ATF_CHECK(isc_safe_memequal("\x00\x00\x00\x00", + "\x00\x00\x00\x00", 4)); + ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x00", + "\x00\x00\x00\x01", 4)); + ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x02", + "\x00\x00\x00\x00", 4)); +} + +ATF_TC(isc_safe_memcompare); +ATF_TC_HEAD(isc_safe_memcompare, tc) { + atf_tc_set_md_var(tc, "descr", "safe memcompare()"); +} +ATF_TC_BODY(isc_safe_memcompare, tc) { + UNUSED(tc); + + ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); + ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); + ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); + ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", + "\x00\x00\x00\x00", 4) == 0); + ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", + "\x00\x00\x00\x01", 4) < 0); + ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", + "\x00\x00\x00\x00", 4) > 0); } /* * Main */ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_safe_memcmp); + ATF_TP_ADD_TC(tp, isc_safe_memequal); + ATF_TP_ADD_TC(tp, isc_safe_memcompare); return (atf_no_error()); } - diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index b6bcde93d57..30252336026 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -313,8 +313,8 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, /* * Verify. */ - if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5), - digestb64, HMD5_LENGTH)) + if (!isc_safe_memequal((unsigned char *) isccc_sexpr_tostring(hmd5), + digestb64, HMD5_LENGTH)) return (ISCCC_R_BADAUTH); return (ISC_R_SUCCESS); -- 2.47.3