aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-09-16 14:45:52 -0400
committerJack Lloyd <[email protected]>2017-09-16 14:45:52 -0400
commit83932f30ff02d285c8a7e2a363601f460d55d268 (patch)
tree4bb4a54d89c8584bea8fa19774e9e22ae77278cf
parentf39aa7bb4e43e27b10d3f890da7ba1acba9f14ca (diff)
Use constant_time_compare instead of same_mem
New name, same great operation
-rw-r--r--src/lib/ffi/ffi.cpp7
-rw-r--r--src/lib/ffi/ffi.h5
-rw-r--r--src/lib/mac/mac.cpp2
-rw-r--r--src/lib/misc/cryptobox/cryptobox.cpp2
-rw-r--r--src/lib/misc/tss/tss.cpp7
-rw-r--r--src/lib/modes/aead/ccm/ccm.cpp2
-rw-r--r--src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp2
-rw-r--r--src/lib/modes/aead/eax/eax.cpp2
-rw-r--r--src/lib/modes/aead/gcm/gcm.cpp2
-rw-r--r--src/lib/modes/aead/ocb/ocb.cpp2
-rw-r--r--src/lib/passhash/passhash9/passhash9.cpp2
-rw-r--r--src/lib/pk_pad/eme_oaep/oaep.cpp2
-rw-r--r--src/lib/pk_pad/emsa1/emsa1.cpp2
-rw-r--r--src/lib/pk_pad/emsa_pssr/pssr.cpp2
-rw-r--r--src/lib/pk_pad/emsa_raw/emsa_raw.cpp2
-rw-r--r--src/lib/pk_pad/iso9796/iso9796.cpp2
-rw-r--r--src/lib/pubkey/dlies/dlies.cpp2
-rw-r--r--src/lib/pubkey/ecies/ecies.cpp2
-rw-r--r--src/lib/pubkey/ed25519/ed25519.cpp2
-rw-r--r--src/lib/pubkey/sm2/sm2_enc.cpp2
-rw-r--r--src/lib/tls/msg_finished.cpp2
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.cpp4
22 files changed, 36 insertions, 23 deletions
diff --git a/src/lib/ffi/ffi.cpp b/src/lib/ffi/ffi.cpp
index 1dfa66e5f..00181dbc9 100644
--- a/src/lib/ffi/ffi.cpp
+++ b/src/lib/ffi/ffi.cpp
@@ -63,9 +63,14 @@ uint32_t botan_version_minor() { return Botan::version_minor(); }
uint32_t botan_version_patch() { return Botan::version_patch(); }
uint32_t botan_version_datestamp() { return Botan::version_datestamp(); }
+int botan_constant_time_compare(const uint8_t* x, const uint8_t* y, size_t len)
+ {
+ return Botan::constant_time_compare(x, y, len) ? 0 : -1;
+ }
+
int botan_same_mem(const uint8_t* x, const uint8_t* y, size_t len)
{
- return Botan::same_mem(x, y, len) ? 0 : -1;
+ return botan_constant_time_compare(x, y, len);
}
int botan_scrub_mem(void* mem, size_t bytes)
diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index de752f43c..73c999f66 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -155,6 +155,11 @@ doesn't exactly work well either!
/**
* Returns 0 if x[0..len] == y[0..len], or otherwise -1
*/
+BOTAN_DLL int botan_constant_time_compare(const uint8_t* x, const uint8_t* y, size_t len);
+
+/**
+* Deprecated equivalent to botan_constant_time_compare
+*/
BOTAN_DLL int botan_same_mem(const uint8_t* x, const uint8_t* y, size_t len);
/**
diff --git a/src/lib/mac/mac.cpp b/src/lib/mac/mac.cpp
index c48deb24b..053e36b6f 100644
--- a/src/lib/mac/mac.cpp
+++ b/src/lib/mac/mac.cpp
@@ -155,7 +155,7 @@ bool MessageAuthenticationCode::verify_mac(const uint8_t mac[], size_t length)
if(our_mac.size() != length)
return false;
- return same_mem(our_mac.data(), mac, length);
+ return constant_time_compare(our_mac.data(), mac, length);
}
}
diff --git a/src/lib/misc/cryptobox/cryptobox.cpp b/src/lib/misc/cryptobox/cryptobox.cpp
index 944adef49..0ff6fe8f5 100644
--- a/src/lib/misc/cryptobox/cryptobox.cpp
+++ b/src/lib/misc/cryptobox/cryptobox.cpp
@@ -145,7 +145,7 @@ std::string decrypt(const uint8_t input[], size_t input_len,
uint8_t computed_mac[MAC_OUTPUT_LEN];
BOTAN_ASSERT_EQUAL(MAC_OUTPUT_LEN, pipe.read(computed_mac, MAC_OUTPUT_LEN, 1), "MAC size");
- if(!same_mem(computed_mac,
+ if(!constant_time_compare(computed_mac,
&ciphertext[VERSION_CODE_LEN + PBKDF_SALT_LEN],
MAC_OUTPUT_LEN))
throw Decoding_Error("CryptoBox integrity failure");
diff --git a/src/lib/misc/tss/tss.cpp b/src/lib/misc/tss/tss.cpp
index a7b0c4eac..2039e5fea 100644
--- a/src/lib/misc/tss/tss.cpp
+++ b/src/lib/misc/tss/tss.cpp
@@ -250,9 +250,12 @@ RTSS_Share::reconstruct(const std::vector<RTSS_Share>& shares)
hash->update(secret.data(), secret_len);
secure_vector<uint8_t> hash_check = hash->final();
- if(!same_mem(hash_check.data(),
- &secret[secret_len], hash->output_length()))
+ if(!constant_time_compare(hash_check.data(),
+ &secret[secret_len],
+ hash->output_length()))
+ {
throw Decoding_Error("RTSS hash check failed");
+ }
return secure_vector<uint8_t>(secret.cbegin(), secret.cbegin() + secret_len);
}
diff --git a/src/lib/modes/aead/ccm/ccm.cpp b/src/lib/modes/aead/ccm/ccm.cpp
index b7f81e5ab..5a1de4908 100644
--- a/src/lib/modes/aead/ccm/ccm.cpp
+++ b/src/lib/modes/aead/ccm/ccm.cpp
@@ -260,7 +260,7 @@ void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
T ^= S0;
- if(!same_mem(T.data(), buf_end, tag_size()))
+ if(!constant_time_compare(T.data(), buf_end, tag_size()))
throw Integrity_Failure("CCM tag check failed");
buffer.resize(buffer.size() - tag_size());
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
index 64169a9b8..e1fd4978c 100644
--- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
+++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
@@ -157,7 +157,7 @@ void ChaCha20Poly1305_Decryption::finish(secure_vector<uint8_t>& buffer, size_t
m_ctext_len = 0;
- if(!same_mem(mac.data(), included_tag, tag_size()))
+ if(!constant_time_compare(mac.data(), included_tag, tag_size()))
throw Integrity_Failure("ChaCha20Poly1305 tag check failed");
buffer.resize(offset + remaining);
}
diff --git a/src/lib/modes/aead/eax/eax.cpp b/src/lib/modes/aead/eax/eax.cpp
index 4889ac21a..66cd90151 100644
--- a/src/lib/modes/aead/eax/eax.cpp
+++ b/src/lib/modes/aead/eax/eax.cpp
@@ -169,7 +169,7 @@ void EAX_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
mac ^= m_ad_mac;
- if(!same_mem(mac.data(), included_tag, tag_size()))
+ if(!constant_time_compare(mac.data(), included_tag, tag_size()))
throw Integrity_Failure("EAX tag check failed");
buffer.resize(offset + remaining);
diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp
index becd3484b..9c6a85282 100644
--- a/src/lib/modes/aead/gcm/gcm.cpp
+++ b/src/lib/modes/aead/gcm/gcm.cpp
@@ -317,7 +317,7 @@ void GCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
const uint8_t* included_tag = &buffer[remaining+offset];
- if(!same_mem(mac.data(), included_tag, tag_size()))
+ if(!constant_time_compare(mac.data(), included_tag, tag_size()))
throw Integrity_Failure("GCM tag check failed");
buffer.resize(offset + remaining);
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index aa8532526..4e1076cba 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -409,7 +409,7 @@ void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
// compare mac
const uint8_t* included_tag = &buf[remaining];
- if(!same_mem(mac.data(), included_tag, tag_size()))
+ if(!constant_time_compare(mac.data(), included_tag, tag_size()))
throw Integrity_Failure("OCB tag check failed");
// remove tag from end of message
diff --git a/src/lib/passhash/passhash9/passhash9.cpp b/src/lib/passhash/passhash9/passhash9.cpp
index e78ac5012..1fa88c8c4 100644
--- a/src/lib/passhash/passhash9/passhash9.cpp
+++ b/src/lib/passhash/passhash9/passhash9.cpp
@@ -122,7 +122,7 @@ bool check_passhash9(const std::string& pass, const std::string& hash)
&bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES,
kdf_iterations).bits_of();
- return same_mem(cmp.data(),
+ return constant_time_compare(cmp.data(),
&bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES],
PASSHASH9_PBKDF_OUTPUT_LEN);
}
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index ef2fb81bb..71f5c14e0 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -106,7 +106,7 @@ secure_vector<uint8_t> OAEP::unpad(uint8_t& valid_mask,
// If we never saw any non-zero byte, then it's not valid input
bad_input |= waiting_for_delim;
- bad_input |= CT::is_equal<uint8_t>(same_mem(&input[hlen], m_Phash.data(), hlen), false);
+ bad_input |= CT::is_equal<uint8_t>(constant_time_compare(&input[hlen], m_Phash.data(), hlen), false);
CT::unpoison(input.data(), input.size());
CT::unpoison(&bad_input, 1);
diff --git a/src/lib/pk_pad/emsa1/emsa1.cpp b/src/lib/pk_pad/emsa1/emsa1.cpp
index 82c3b86a7..e3580ff93 100644
--- a/src/lib/pk_pad/emsa1/emsa1.cpp
+++ b/src/lib/pk_pad/emsa1/emsa1.cpp
@@ -85,7 +85,7 @@ bool EMSA1::verify(const secure_vector<uint8_t>& input,
if(our_coding[i] != 0)
return false;
- return same_mem(input.data(), &our_coding[offset], input.size());
+ return constant_time_compare(input.data(), &our_coding[offset], input.size());
}
catch(Invalid_Argument)
{
diff --git a/src/lib/pk_pad/emsa_pssr/pssr.cpp b/src/lib/pk_pad/emsa_pssr/pssr.cpp
index 5f76b5a6f..65ee5a145 100644
--- a/src/lib/pk_pad/emsa_pssr/pssr.cpp
+++ b/src/lib/pk_pad/emsa_pssr/pssr.cpp
@@ -122,7 +122,7 @@ bool PSSR::verify(const secure_vector<uint8_t>& const_coded,
m_hash->update(&DB[salt_offset], DB_size - salt_offset);
secure_vector<uint8_t> H2 = m_hash->final();
- return same_mem(H, H2.data(), HASH_SIZE);
+ return constant_time_compare(H, H2.data(), HASH_SIZE);
}
PSSR::PSSR(HashFunction* h) :
diff --git a/src/lib/pk_pad/emsa_raw/emsa_raw.cpp b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp
index bae7b2d04..cf2426298 100644
--- a/src/lib/pk_pad/emsa_raw/emsa_raw.cpp
+++ b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp
@@ -75,7 +75,7 @@ bool EMSA_Raw::verify(const secure_vector<uint8_t>& coded,
if(raw[i])
same_modulo_leading_zeros = false;
- if(!same_mem(coded.data(), raw.data() + leading_zeros_expected, coded.size()))
+ if(!constant_time_compare(coded.data(), raw.data() + leading_zeros_expected, coded.size()))
same_modulo_leading_zeros = false;
return same_modulo_leading_zeros;
diff --git a/src/lib/pk_pad/iso9796/iso9796.cpp b/src/lib/pk_pad/iso9796/iso9796.cpp
index 6dcae799a..8608e7239 100644
--- a/src/lib/pk_pad/iso9796/iso9796.cpp
+++ b/src/lib/pk_pad/iso9796/iso9796.cpp
@@ -202,7 +202,7 @@ bool iso9796_verification(const secure_vector<uint8_t>& const_coded,
secure_vector<uint8_t> H2 = hash->final();
//check if H3 == H2
- bad_input |= CT::is_equal<uint8_t>(same_mem(H3.data(), H2.data(), HASH_SIZE), false);
+ bad_input |= CT::is_equal<uint8_t>(constant_time_compare(H3.data(), H2.data(), HASH_SIZE), false);
CT::unpoison(bad_input);
return (bad_input == 0);
diff --git a/src/lib/pubkey/dlies/dlies.cpp b/src/lib/pubkey/dlies/dlies.cpp
index a4171a55f..a4603f0d7 100644
--- a/src/lib/pubkey/dlies/dlies.cpp
+++ b/src/lib/pubkey/dlies/dlies.cpp
@@ -175,7 +175,7 @@ secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask,
secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len,
msg + m_pub_key_size + ciphertext_len + m_mac->output_length());
- valid_mask = CT::expand_mask<uint8_t>(same_mem(tag.data(), calculated_tag.data(), tag.size()));
+ valid_mask = CT::expand_mask<uint8_t>(constant_time_compare(tag.data(), calculated_tag.data(), tag.size()));
// decrypt
if(m_cipher)
diff --git a/src/lib/pubkey/ecies/ecies.cpp b/src/lib/pubkey/ecies/ecies.cpp
index df676cfb3..b8fcea64b 100644
--- a/src/lib/pubkey/ecies/ecies.cpp
+++ b/src/lib/pubkey/ecies/ecies.cpp
@@ -363,7 +363,7 @@ secure_vector<uint8_t> ECIES_Decryptor::do_decrypt(uint8_t& valid_mask, const ui
mac->update(m_label);
}
const secure_vector<uint8_t> calculated_mac = mac->final();
- valid_mask = CT::expand_mask<uint8_t>(same_mem(mac_data.data(), calculated_mac.data(), mac_data.size()));
+ valid_mask = CT::expand_mask<uint8_t>(constant_time_compare(mac_data.data(), calculated_mac.data(), mac_data.size()));
if(valid_mask)
{
diff --git a/src/lib/pubkey/ed25519/ed25519.cpp b/src/lib/pubkey/ed25519/ed25519.cpp
index 13f75ac3b..5c9bd2b3d 100644
--- a/src/lib/pubkey/ed25519/ed25519.cpp
+++ b/src/lib/pubkey/ed25519/ed25519.cpp
@@ -90,7 +90,7 @@ bool ed25519_verify(const uint8_t* m, size_t mlen,
ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
- return same_mem(rcheck, sig, 32);
+ return constant_time_compare(rcheck, sig, 32);
}
}
diff --git a/src/lib/pubkey/sm2/sm2_enc.cpp b/src/lib/pubkey/sm2/sm2_enc.cpp
index b05ce12da..aca31941d 100644
--- a/src/lib/pubkey/sm2/sm2_enc.cpp
+++ b/src/lib/pubkey/sm2/sm2_enc.cpp
@@ -190,7 +190,7 @@ class SM2_Decryption_Operation : public PK_Ops::Decryption
hash->update(y2_bytes);
secure_vector<uint8_t> u = hash->final();
- if(same_mem(u.data(), ciphertext + (1+p_bytes*2), hash->output_length()) == false)
+ if(constant_time_compare(u.data(), ciphertext + (1+p_bytes*2), hash->output_length()) == false)
return secure_vector<uint8_t>();
valid_mask = 0xFF;
diff --git a/src/lib/tls/msg_finished.cpp b/src/lib/tls/msg_finished.cpp
index f00311729..0fbfc0738 100644
--- a/src/lib/tls/msg_finished.cpp
+++ b/src/lib/tls/msg_finished.cpp
@@ -81,7 +81,7 @@ bool Finished::verify(const Handshake_State& state,
return true;
#else
return (m_verification_data.size() == computed_verify.size()) &&
- same_mem(m_verification_data.data(), computed_verify.data(), computed_verify.size());
+ constant_time_compare(m_verification_data.data(), computed_verify.data(), computed_verify.size());
#endif
}
diff --git a/src/lib/tls/tls_cbc/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index e63893d75..244ddfb99 100644
--- a/src/lib/tls/tls_cbc/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
@@ -397,7 +397,7 @@ void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t
const size_t mac_offset = enc_size;
- const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
+ const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
if(!mac_ok)
{
@@ -459,7 +459,7 @@ void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t
const size_t mac_offset = record_len - (tag_size() + pad_size);
- const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
+ const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
const uint16_t ok_mask = size_ok_mask & CT::expand_mask<uint16_t>(mac_ok) & CT::expand_mask<uint16_t>(pad_size);