From 2f115aa846580043bf0b23d9fcc2c382657c60f6 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 5 Sep 2018 00:55:33 +0000 Subject: [PATCH] use timing-safe compares for checking results in signature verification (there are no known attacks, this is just inexpensive prudence) feedback and ok tb@ jsing@ --- lib/libcrypto/rsa/rsa_pmeth.c | 4 ++-- lib/libcrypto/rsa/rsa_pss.c | 4 ++-- lib/libcrypto/rsa/rsa_saos.c | 4 ++-- lib/libcrypto/rsa/rsa_sign.c | 7 ++++--- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/lib/libcrypto/rsa/rsa_pmeth.c b/lib/libcrypto/rsa/rsa_pmeth.c index b4a4e730c01..ea6401b3dab 100644 --- a/lib/libcrypto/rsa/rsa_pmeth.c +++ b/lib/libcrypto/rsa/rsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pmeth.c,v 1.20 2017/08/28 17:41:59 jsing Exp $ */ +/* $OpenBSD: rsa_pmeth.c,v 1.21 2018/09/05 00:55:33 djm Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -296,7 +296,7 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, return 0; } - if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen)) + if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen)) return 0; return 1; diff --git a/lib/libcrypto/rsa/rsa_pss.c b/lib/libcrypto/rsa/rsa_pss.c index 870f634b8de..562f7b252c9 100644 --- a/lib/libcrypto/rsa/rsa_pss.c +++ b/lib/libcrypto/rsa/rsa_pss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_pss.c,v 1.13 2018/09/05 00:55:33 djm Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -163,7 +163,7 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, } if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) goto err; - if (memcmp(H_, H, hLen)) { + if (timingsafe_bcmp(H_, H, hLen)) { RSAerror(RSA_R_BAD_SIGNATURE); ret = 0; } else diff --git a/lib/libcrypto/rsa/rsa_saos.c b/lib/libcrypto/rsa/rsa_saos.c index e1fbdcb5dfb..93492ac5035 100644 --- a/lib/libcrypto/rsa/rsa_saos.c +++ b/lib/libcrypto/rsa/rsa_saos.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_saos.c,v 1.23 2017/05/02 03:59:45 deraadt Exp $ */ +/* $OpenBSD: rsa_saos.c,v 1.24 2018/09/05 00:55:33 djm Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -130,7 +130,7 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m, goto err; if ((unsigned int)sig->length != m_len || - memcmp(m, sig->data, m_len) != 0) { + timingsafe_bcmp(m, sig->data, m_len) != 0) { RSAerror(RSA_R_BAD_SIGNATURE); } else ret = 1; diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c index 2383259ddaf..50e07f4f1e2 100644 --- a/lib/libcrypto/rsa/rsa_sign.c +++ b/lib/libcrypto/rsa/rsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_sign.c,v 1.30 2018/07/23 17:37:17 tb Exp $ */ +/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -214,7 +214,8 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); goto err; } - if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) { + if (timingsafe_bcmp(decrypt_buf, + m, SSL_SIG_LENGTH) != 0) { RSAerror(RSA_R_BAD_SIGNATURE); goto err; } @@ -244,7 +245,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, goto err; if (encoded_len != decrypt_len || - memcmp(encoded, decrypt_buf, encoded_len) != 0) { + timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) { RSAerror(RSA_R_BAD_SIGNATURE); goto err; } -- 2.20.1