use timing-safe compares for checking results in signature verification

(there are no known attacks, this is just inexpensive prudence)

feedback and ok tb@ jsing@

diff --git a/lib/libcrypto/rsa/rsa_pmeth.c b/lib/libcrypto/rsa/rsa_pmeth.c
index b4a4e73..ea6401b 100644 (file)
--- a/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.20 2017/08/28 17:41:59 jsing Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.21 2018/09/05 00:55:33 djm Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -296,7 +296,7 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
                        return 0;
        }
 
-       if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen))
+       if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen))
                return 0;
 
        return 1;

diff --git a/lib/libcrypto/rsa/rsa_pss.c b/lib/libcrypto/rsa/rsa_pss.c
index 870f634..562f7b2 100644 (file)
--- a/lib/libcrypto/rsa/rsa_pss.c
+++ b/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.13 2018/09/05 00:55:33 djm Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -163,7 +163,7 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
        }
        if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
                goto err;
-       if (memcmp(H_, H, hLen)) {
+       if (timingsafe_bcmp(H_, H, hLen)) {
                RSAerror(RSA_R_BAD_SIGNATURE);
                ret = 0;
        } else

diff --git a/lib/libcrypto/rsa/rsa_saos.c b/lib/libcrypto/rsa/rsa_saos.c
index e1fbdcb..93492ac 100644 (file)
--- a/lib/libcrypto/rsa/rsa_saos.c
+++ b/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.23 2017/05/02 03:59:45 deraadt Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.24 2018/09/05 00:55:33 djm Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -130,7 +130,7 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
                goto err;
 
        if ((unsigned int)sig->length != m_len ||
-           memcmp(m, sig->data, m_len) != 0) {
+           timingsafe_bcmp(m, sig->data, m_len) != 0) {
                RSAerror(RSA_R_BAD_SIGNATURE);
        } else
                ret = 1;

diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c
index 2383259..50e07f4 100644 (file)
--- a/lib/libcrypto/rsa/rsa_sign.c
+++ b/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.30 2018/07/23 17:37:17 tb Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -214,7 +214,8 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
                                RSAerror(RSA_R_INVALID_MESSAGE_LENGTH);
                                goto err;
                        }
-                       if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) {
+                       if (timingsafe_bcmp(decrypt_buf,
+                           m, SSL_SIG_LENGTH) != 0) {
                                RSAerror(RSA_R_BAD_SIGNATURE);
                                goto err;
                        }
@@ -244,7 +245,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
                        goto err;
 
                if (encoded_len != decrypt_len ||
-                   memcmp(encoded, decrypt_buf, encoded_len) != 0) {
+                   timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) {
                        RSAerror(RSA_R_BAD_SIGNATURE);
                        goto err;
                }