diff options
-rw-r--r-- | src/lib/ffi/ffi.cpp | 7 | ||||
-rw-r--r-- | src/lib/ffi/ffi.h | 5 | ||||
-rw-r--r-- | src/lib/mac/mac.cpp | 2 | ||||
-rw-r--r-- | src/lib/misc/cryptobox/cryptobox.cpp | 2 | ||||
-rw-r--r-- | src/lib/misc/tss/tss.cpp | 7 | ||||
-rw-r--r-- | src/lib/modes/aead/ccm/ccm.cpp | 2 | ||||
-rw-r--r-- | src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp | 2 | ||||
-rw-r--r-- | src/lib/modes/aead/eax/eax.cpp | 2 | ||||
-rw-r--r-- | src/lib/modes/aead/gcm/gcm.cpp | 2 | ||||
-rw-r--r-- | src/lib/modes/aead/ocb/ocb.cpp | 2 | ||||
-rw-r--r-- | src/lib/passhash/passhash9/passhash9.cpp | 2 | ||||
-rw-r--r-- | src/lib/pk_pad/eme_oaep/oaep.cpp | 2 | ||||
-rw-r--r-- | src/lib/pk_pad/emsa1/emsa1.cpp | 2 | ||||
-rw-r--r-- | src/lib/pk_pad/emsa_pssr/pssr.cpp | 2 | ||||
-rw-r--r-- | src/lib/pk_pad/emsa_raw/emsa_raw.cpp | 2 | ||||
-rw-r--r-- | src/lib/pk_pad/iso9796/iso9796.cpp | 2 | ||||
-rw-r--r-- | src/lib/pubkey/dlies/dlies.cpp | 2 | ||||
-rw-r--r-- | src/lib/pubkey/ecies/ecies.cpp | 2 | ||||
-rw-r--r-- | src/lib/pubkey/ed25519/ed25519.cpp | 2 | ||||
-rw-r--r-- | src/lib/pubkey/sm2/sm2_enc.cpp | 2 | ||||
-rw-r--r-- | src/lib/tls/msg_finished.cpp | 2 | ||||
-rw-r--r-- | src/lib/tls/tls_cbc/tls_cbc.cpp | 4 |
22 files changed, 36 insertions, 23 deletions
diff --git a/src/lib/ffi/ffi.cpp b/src/lib/ffi/ffi.cpp index 1dfa66e5f..00181dbc9 100644 --- a/src/lib/ffi/ffi.cpp +++ b/src/lib/ffi/ffi.cpp @@ -63,9 +63,14 @@ uint32_t botan_version_minor() { return Botan::version_minor(); } uint32_t botan_version_patch() { return Botan::version_patch(); } uint32_t botan_version_datestamp() { return Botan::version_datestamp(); } +int botan_constant_time_compare(const uint8_t* x, const uint8_t* y, size_t len) + { + return Botan::constant_time_compare(x, y, len) ? 0 : -1; + } + int botan_same_mem(const uint8_t* x, const uint8_t* y, size_t len) { - return Botan::same_mem(x, y, len) ? 0 : -1; + return botan_constant_time_compare(x, y, len); } int botan_scrub_mem(void* mem, size_t bytes) diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h index de752f43c..73c999f66 100644 --- a/src/lib/ffi/ffi.h +++ b/src/lib/ffi/ffi.h @@ -155,6 +155,11 @@ doesn't exactly work well either! /** * Returns 0 if x[0..len] == y[0..len], or otherwise -1 */ +BOTAN_DLL int botan_constant_time_compare(const uint8_t* x, const uint8_t* y, size_t len); + +/** +* Deprecated equivalent to botan_constant_time_compare +*/ BOTAN_DLL int botan_same_mem(const uint8_t* x, const uint8_t* y, size_t len); /** diff --git a/src/lib/mac/mac.cpp b/src/lib/mac/mac.cpp index c48deb24b..053e36b6f 100644 --- a/src/lib/mac/mac.cpp +++ b/src/lib/mac/mac.cpp @@ -155,7 +155,7 @@ bool MessageAuthenticationCode::verify_mac(const uint8_t mac[], size_t length) if(our_mac.size() != length) return false; - return same_mem(our_mac.data(), mac, length); + return constant_time_compare(our_mac.data(), mac, length); } } diff --git a/src/lib/misc/cryptobox/cryptobox.cpp b/src/lib/misc/cryptobox/cryptobox.cpp index 944adef49..0ff6fe8f5 100644 --- a/src/lib/misc/cryptobox/cryptobox.cpp +++ b/src/lib/misc/cryptobox/cryptobox.cpp @@ -145,7 +145,7 @@ std::string decrypt(const uint8_t input[], size_t input_len, uint8_t computed_mac[MAC_OUTPUT_LEN]; BOTAN_ASSERT_EQUAL(MAC_OUTPUT_LEN, pipe.read(computed_mac, MAC_OUTPUT_LEN, 1), "MAC size"); - if(!same_mem(computed_mac, + if(!constant_time_compare(computed_mac, &ciphertext[VERSION_CODE_LEN + PBKDF_SALT_LEN], MAC_OUTPUT_LEN)) throw Decoding_Error("CryptoBox integrity failure"); diff --git a/src/lib/misc/tss/tss.cpp b/src/lib/misc/tss/tss.cpp index a7b0c4eac..2039e5fea 100644 --- a/src/lib/misc/tss/tss.cpp +++ b/src/lib/misc/tss/tss.cpp @@ -250,9 +250,12 @@ RTSS_Share::reconstruct(const std::vector<RTSS_Share>& shares) hash->update(secret.data(), secret_len); secure_vector<uint8_t> hash_check = hash->final(); - if(!same_mem(hash_check.data(), - &secret[secret_len], hash->output_length())) + if(!constant_time_compare(hash_check.data(), + &secret[secret_len], + hash->output_length())) + { throw Decoding_Error("RTSS hash check failed"); + } return secure_vector<uint8_t>(secret.cbegin(), secret.cbegin() + secret_len); } diff --git a/src/lib/modes/aead/ccm/ccm.cpp b/src/lib/modes/aead/ccm/ccm.cpp index b7f81e5ab..5a1de4908 100644 --- a/src/lib/modes/aead/ccm/ccm.cpp +++ b/src/lib/modes/aead/ccm/ccm.cpp @@ -260,7 +260,7 @@ void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) T ^= S0; - if(!same_mem(T.data(), buf_end, tag_size())) + if(!constant_time_compare(T.data(), buf_end, tag_size())) throw Integrity_Failure("CCM tag check failed"); buffer.resize(buffer.size() - tag_size()); diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp index 64169a9b8..e1fd4978c 100644 --- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp +++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp @@ -157,7 +157,7 @@ void ChaCha20Poly1305_Decryption::finish(secure_vector<uint8_t>& buffer, size_t m_ctext_len = 0; - if(!same_mem(mac.data(), included_tag, tag_size())) + if(!constant_time_compare(mac.data(), included_tag, tag_size())) throw Integrity_Failure("ChaCha20Poly1305 tag check failed"); buffer.resize(offset + remaining); } diff --git a/src/lib/modes/aead/eax/eax.cpp b/src/lib/modes/aead/eax/eax.cpp index 4889ac21a..66cd90151 100644 --- a/src/lib/modes/aead/eax/eax.cpp +++ b/src/lib/modes/aead/eax/eax.cpp @@ -169,7 +169,7 @@ void EAX_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) mac ^= m_ad_mac; - if(!same_mem(mac.data(), included_tag, tag_size())) + if(!constant_time_compare(mac.data(), included_tag, tag_size())) throw Integrity_Failure("EAX tag check failed"); buffer.resize(offset + remaining); diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp index becd3484b..9c6a85282 100644 --- a/src/lib/modes/aead/gcm/gcm.cpp +++ b/src/lib/modes/aead/gcm/gcm.cpp @@ -317,7 +317,7 @@ void GCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) const uint8_t* included_tag = &buffer[remaining+offset]; - if(!same_mem(mac.data(), included_tag, tag_size())) + if(!constant_time_compare(mac.data(), included_tag, tag_size())) throw Integrity_Failure("GCM tag check failed"); buffer.resize(offset + remaining); diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp index aa8532526..4e1076cba 100644 --- a/src/lib/modes/aead/ocb/ocb.cpp +++ b/src/lib/modes/aead/ocb/ocb.cpp @@ -409,7 +409,7 @@ void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) // compare mac const uint8_t* included_tag = &buf[remaining]; - if(!same_mem(mac.data(), included_tag, tag_size())) + if(!constant_time_compare(mac.data(), included_tag, tag_size())) throw Integrity_Failure("OCB tag check failed"); // remove tag from end of message diff --git a/src/lib/passhash/passhash9/passhash9.cpp b/src/lib/passhash/passhash9/passhash9.cpp index e78ac5012..1fa88c8c4 100644 --- a/src/lib/passhash/passhash9/passhash9.cpp +++ b/src/lib/passhash/passhash9/passhash9.cpp @@ -122,7 +122,7 @@ bool check_passhash9(const std::string& pass, const std::string& hash) &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations).bits_of(); - return same_mem(cmp.data(), + return constant_time_compare(cmp.data(), &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES], PASSHASH9_PBKDF_OUTPUT_LEN); } diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp index ef2fb81bb..71f5c14e0 100644 --- a/src/lib/pk_pad/eme_oaep/oaep.cpp +++ b/src/lib/pk_pad/eme_oaep/oaep.cpp @@ -106,7 +106,7 @@ secure_vector<uint8_t> OAEP::unpad(uint8_t& valid_mask, // If we never saw any non-zero byte, then it's not valid input bad_input |= waiting_for_delim; - bad_input |= CT::is_equal<uint8_t>(same_mem(&input[hlen], m_Phash.data(), hlen), false); + bad_input |= CT::is_equal<uint8_t>(constant_time_compare(&input[hlen], m_Phash.data(), hlen), false); CT::unpoison(input.data(), input.size()); CT::unpoison(&bad_input, 1); diff --git a/src/lib/pk_pad/emsa1/emsa1.cpp b/src/lib/pk_pad/emsa1/emsa1.cpp index 82c3b86a7..e3580ff93 100644 --- a/src/lib/pk_pad/emsa1/emsa1.cpp +++ b/src/lib/pk_pad/emsa1/emsa1.cpp @@ -85,7 +85,7 @@ bool EMSA1::verify(const secure_vector<uint8_t>& input, if(our_coding[i] != 0) return false; - return same_mem(input.data(), &our_coding[offset], input.size()); + return constant_time_compare(input.data(), &our_coding[offset], input.size()); } catch(Invalid_Argument) { diff --git a/src/lib/pk_pad/emsa_pssr/pssr.cpp b/src/lib/pk_pad/emsa_pssr/pssr.cpp index 5f76b5a6f..65ee5a145 100644 --- a/src/lib/pk_pad/emsa_pssr/pssr.cpp +++ b/src/lib/pk_pad/emsa_pssr/pssr.cpp @@ -122,7 +122,7 @@ bool PSSR::verify(const secure_vector<uint8_t>& const_coded, m_hash->update(&DB[salt_offset], DB_size - salt_offset); secure_vector<uint8_t> H2 = m_hash->final(); - return same_mem(H, H2.data(), HASH_SIZE); + return constant_time_compare(H, H2.data(), HASH_SIZE); } PSSR::PSSR(HashFunction* h) : diff --git a/src/lib/pk_pad/emsa_raw/emsa_raw.cpp b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp index bae7b2d04..cf2426298 100644 --- a/src/lib/pk_pad/emsa_raw/emsa_raw.cpp +++ b/src/lib/pk_pad/emsa_raw/emsa_raw.cpp @@ -75,7 +75,7 @@ bool EMSA_Raw::verify(const secure_vector<uint8_t>& coded, if(raw[i]) same_modulo_leading_zeros = false; - if(!same_mem(coded.data(), raw.data() + leading_zeros_expected, coded.size())) + if(!constant_time_compare(coded.data(), raw.data() + leading_zeros_expected, coded.size())) same_modulo_leading_zeros = false; return same_modulo_leading_zeros; diff --git a/src/lib/pk_pad/iso9796/iso9796.cpp b/src/lib/pk_pad/iso9796/iso9796.cpp index 6dcae799a..8608e7239 100644 --- a/src/lib/pk_pad/iso9796/iso9796.cpp +++ b/src/lib/pk_pad/iso9796/iso9796.cpp @@ -202,7 +202,7 @@ bool iso9796_verification(const secure_vector<uint8_t>& const_coded, secure_vector<uint8_t> H2 = hash->final(); //check if H3 == H2 - bad_input |= CT::is_equal<uint8_t>(same_mem(H3.data(), H2.data(), HASH_SIZE), false); + bad_input |= CT::is_equal<uint8_t>(constant_time_compare(H3.data(), H2.data(), HASH_SIZE), false); CT::unpoison(bad_input); return (bad_input == 0); diff --git a/src/lib/pubkey/dlies/dlies.cpp b/src/lib/pubkey/dlies/dlies.cpp index a4171a55f..a4603f0d7 100644 --- a/src/lib/pubkey/dlies/dlies.cpp +++ b/src/lib/pubkey/dlies/dlies.cpp @@ -175,7 +175,7 @@ secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask, secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len, msg + m_pub_key_size + ciphertext_len + m_mac->output_length()); - valid_mask = CT::expand_mask<uint8_t>(same_mem(tag.data(), calculated_tag.data(), tag.size())); + valid_mask = CT::expand_mask<uint8_t>(constant_time_compare(tag.data(), calculated_tag.data(), tag.size())); // decrypt if(m_cipher) diff --git a/src/lib/pubkey/ecies/ecies.cpp b/src/lib/pubkey/ecies/ecies.cpp index df676cfb3..b8fcea64b 100644 --- a/src/lib/pubkey/ecies/ecies.cpp +++ b/src/lib/pubkey/ecies/ecies.cpp @@ -363,7 +363,7 @@ secure_vector<uint8_t> ECIES_Decryptor::do_decrypt(uint8_t& valid_mask, const ui mac->update(m_label); } const secure_vector<uint8_t> calculated_mac = mac->final(); - valid_mask = CT::expand_mask<uint8_t>(same_mem(mac_data.data(), calculated_mac.data(), mac_data.size())); + valid_mask = CT::expand_mask<uint8_t>(constant_time_compare(mac_data.data(), calculated_mac.data(), mac_data.size())); if(valid_mask) { diff --git a/src/lib/pubkey/ed25519/ed25519.cpp b/src/lib/pubkey/ed25519/ed25519.cpp index 13f75ac3b..5c9bd2b3d 100644 --- a/src/lib/pubkey/ed25519/ed25519.cpp +++ b/src/lib/pubkey/ed25519/ed25519.cpp @@ -90,7 +90,7 @@ bool ed25519_verify(const uint8_t* m, size_t mlen, ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32); - return same_mem(rcheck, sig, 32); + return constant_time_compare(rcheck, sig, 32); } } diff --git a/src/lib/pubkey/sm2/sm2_enc.cpp b/src/lib/pubkey/sm2/sm2_enc.cpp index b05ce12da..aca31941d 100644 --- a/src/lib/pubkey/sm2/sm2_enc.cpp +++ b/src/lib/pubkey/sm2/sm2_enc.cpp @@ -190,7 +190,7 @@ class SM2_Decryption_Operation : public PK_Ops::Decryption hash->update(y2_bytes); secure_vector<uint8_t> u = hash->final(); - if(same_mem(u.data(), ciphertext + (1+p_bytes*2), hash->output_length()) == false) + if(constant_time_compare(u.data(), ciphertext + (1+p_bytes*2), hash->output_length()) == false) return secure_vector<uint8_t>(); valid_mask = 0xFF; diff --git a/src/lib/tls/msg_finished.cpp b/src/lib/tls/msg_finished.cpp index f00311729..0fbfc0738 100644 --- a/src/lib/tls/msg_finished.cpp +++ b/src/lib/tls/msg_finished.cpp @@ -81,7 +81,7 @@ bool Finished::verify(const Handshake_State& state, return true; #else return (m_verification_data.size() == computed_verify.size()) && - same_mem(m_verification_data.data(), computed_verify.data(), computed_verify.size()); + constant_time_compare(m_verification_data.data(), computed_verify.data(), computed_verify.size()); #endif } diff --git a/src/lib/tls/tls_cbc/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp index e63893d75..244ddfb99 100644 --- a/src/lib/tls/tls_cbc/tls_cbc.cpp +++ b/src/lib/tls/tls_cbc/tls_cbc.cpp @@ -397,7 +397,7 @@ void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t const size_t mac_offset = enc_size; - const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size()); + const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size()); if(!mac_ok) { @@ -459,7 +459,7 @@ void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t const size_t mac_offset = record_len - (tag_size() + pad_size); - const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size()); + const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size()); const uint16_t ok_mask = size_ok_mask & CT::expand_mask<uint16_t>(mac_ok) & CT::expand_mask<uint16_t>(pad_size); |