From b19633f9b94fbfff3777a432d02e0bf5405f372b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 17 Feb 2022 15:35:51 +1300 Subject: [PATCH] Use constant-time memcmp when comparing sensitive buffers This helps to avoid timing attacks. Signed-off-by: Joseph Sutton --- kdc/digest-service.c | 2 +- kdc/digest.c | 2 +- lib/gssapi/krb5/8003.c | 2 +- lib/gssapi/krb5/arcfour.c | 2 +- lib/gssapi/netlogon/crypto.c | 2 +- lib/gssapi/ntlm/crypto.c | 2 +- lib/hcrypto/rsa.c | 2 +- lib/ntlm/ntlm.c | 8 ++++---- lib/otp/otp_verify.c | 2 +- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/kdc/digest-service.c b/kdc/digest-service.c index 4ea76dbe7..275efaff5 100644 --- a/kdc/digest-service.c +++ b/kdc/digest-service.c @@ -179,7 +179,7 @@ ntlm_service(void *ctx, const heim_idata *req, goto failed; if (ntq.ntChallengeResponce.length != answer.length || - memcmp(ntq.ntChallengeResponce.data, answer.data, answer.length) != 0) { + ct_memcmp(ntq.ntChallengeResponce.data, answer.data, answer.length) != 0) { free(answer.data); ret = EINVAL; goto failed; diff --git a/kdc/digest.c b/kdc/digest.c index 092b4a75a..3285aaa54 100644 --- a/kdc/digest.c +++ b/kdc/digest.c @@ -1314,7 +1314,7 @@ _kdc_do_digest(krb5_context context, } if (ireq.u.ntlmRequest.ntlm.length != answer.length || - memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0) + ct_memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0) { free(answer.data); ret = EINVAL; diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c index 3e2133635..bf7da11c7 100644 --- a/lib/gssapi/krb5/8003.c +++ b/lib/gssapi/krb5/8003.c @@ -259,7 +259,7 @@ _gsskrb5_verify_8003_checksum( } if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && (memcmp(p, zeros, sizeof(zeros)) != 0 || client_asserted_cb)) { + && (ct_memcmp(p, zeros, sizeof(zeros)) != 0 || client_asserted_cb)) { if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { *minor_status = 0; return GSS_S_BAD_BINDINGS; diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index 8931b32e1..d52a7d33d 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -1359,7 +1359,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, return GSS_S_FAILURE; } - cmp = (memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ if (cmp) { *minor_status = 0; return GSS_S_BAD_MIC; diff --git a/lib/gssapi/netlogon/crypto.c b/lib/gssapi/netlogon/crypto.c index 0fc8f019d..6147eec55 100644 --- a/lib/gssapi/netlogon/crypto.c +++ b/lib/gssapi/netlogon/crypto.c @@ -588,7 +588,7 @@ _netlogon_unwrap_iov(OM_uint32 *minor_status, /* [MS-NRPC] 3.3.4.2.2.10: verify signature */ _netlogon_digest(ctx, sig, iov, iov_count, checksum); - if (memcmp(sig->Checksum, checksum, _netlogon_checksum_length(sig)) != 0) + if (ct_memcmp(sig->Checksum, checksum, _netlogon_checksum_length(sig)) != 0) return GSS_S_BAD_SIG; HEIMDAL_MUTEX_lock(&ctx->Mutex); diff --git a/lib/gssapi/ntlm/crypto.c b/lib/gssapi/ntlm/crypto.c index efa71d911..d1a115ff8 100644 --- a/lib/gssapi/ntlm/crypto.c +++ b/lib/gssapi/ntlm/crypto.c @@ -230,7 +230,7 @@ v2_verify_message(gss_buffer_t in, if (ret) return ret; - if (memcmp(checksum, out, 16) != 0) + if (ct_memcmp(checksum, out, 16) != 0) return GSS_S_BAD_MIC; return GSS_S_COMPLETE; diff --git a/lib/hcrypto/rsa.c b/lib/hcrypto/rsa.c index 61536466d..31470d006 100644 --- a/lib/hcrypto/rsa.c +++ b/lib/hcrypto/rsa.c @@ -426,7 +426,7 @@ RSA_verify(int type, const unsigned char *from, unsigned int flen, return -4; } - if (flen != di.digest.length || memcmp(di.digest.data, from, flen) != 0) { + if (flen != di.digest.length || ct_memcmp(di.digest.data, from, flen) != 0) { free_DigestInfo(&di); return -5; } diff --git a/lib/ntlm/ntlm.c b/lib/ntlm/ntlm.c index d75752ea0..7384e1807 100644 --- a/lib/ntlm/ntlm.c +++ b/lib/ntlm/ntlm.c @@ -682,7 +682,7 @@ heim_ntlm_decode_type1(const struct ntlm_buf *buf, struct ntlm_type1 *data) krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE); CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig)); - CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); + CHECK(ct_memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); CHECK(krb5_ret_uint32(in, &type), 0); CHECK(type, 1); CHECK(krb5_ret_uint32(in, &data->flags), 0); @@ -844,7 +844,7 @@ heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2) krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE); CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig)); - CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); + CHECK(ct_memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); CHECK(krb5_ret_uint32(in, &type), 0); CHECK(type, 2); @@ -1001,7 +1001,7 @@ heim_ntlm_decode_type3(const struct ntlm_buf *buf, krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE); CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig)); - CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); + CHECK(ct_memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0); CHECK(krb5_ret_uint32(in, &type), 0); CHECK(type, 3); CHECK(ret_sec_buffer(in, &lm), 0); @@ -1825,7 +1825,7 @@ verify_ntlm2(const void *key, size_t len, if (ret) goto out; - if (memcmp(serveranswer, clientanswer, 16) != 0) { + if (ct_memcmp(serveranswer, clientanswer, 16) != 0) { heim_ntlm_free_buf(infotarget); return HNTLM_ERR_AUTH; } diff --git a/lib/otp/otp_verify.c b/lib/otp/otp_verify.c index 8a1c743cc..373f9295a 100644 --- a/lib/otp/otp_verify.c +++ b/lib/otp/otp_verify.c @@ -49,7 +49,7 @@ otp_verify_user_1 (OtpContext *ctx, const char *passwd) } memcpy (key2, key1, sizeof(key1)); ctx->alg->next (key2); - if (memcmp (ctx->key, key2, sizeof(key2)) == 0) { + if (ct_memcmp (ctx->key, key2, sizeof(key2)) == 0) { --ctx->n; memcpy (ctx->key, key1, sizeof(key1)); return 0;