- djm@cvs.openbsd.org 2010/07/13 11:52:06

[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] [packet.c ssh-rsa.c] implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
2026-01-12 00:04:08 +08:00 · 2010-07-16 13:57:51 +10:00
parent d0244d498b
commit 8a0268f1b3
10 changed files with 45 additions and 23 deletions
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.41 2010/04/16 01:47:26 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.42 2010/07/13 11:52:06 djm Exp $ */
 /*
 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
 *
@@ -30,6 +30,7 @@
 #include "buffer.h"
 #include "key.h"
 #include "compat.h"
+#include "misc.h"
 #include "ssh.h"

 static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
@@ -249,11 +250,11 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
 		error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
 		goto done;
 	}
-	if (memcmp(decrypted, oid, oidlen) != 0) {
+	if (timing_safe_cmp(decrypted, oid, oidlen) != 0) {
 		error("oid mismatch");
 		goto done;
 	}
-	if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
+	if (timing_safe_cmp(decrypted + oidlen, hash, hlen) != 0) {
 		error("hash mismatch");
 		goto done;
 	}