nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 03:22:48 -05:00
Code Issues Projects Releases Wiki Activity

Use a timing-safe memory compare to verify MACs.

Browse Source 
Now that we have modes in which the MAC verification happens before
any other crypto operation and hence will be the only thing seen by an
attacker, it seems like about time we got round to doing it in a
cautious way that tries to prevent the attacker from using our memcmp
as a timing oracle.

So, here's an smemeq() function which has the semantics of !memcmp but
attempts to run in time dependent only on the length parameter. All
the MAC implementations now use this in place of !memcmp to verify the
MAC on input data.
This commit is contained in:
Simon Tatham
2015-04-26 23:31:11 +01:00
parent 183a9ee98b
commit 9d5a164021
5 changed files with 36 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sshsh256.c
View File

@ -307,7 +307,7 @@ static int hmacsha256_verresult(void *handle, unsigned char const *hmac)
{
unsigned char correct[32];
hmacsha256_genresult(handle, correct);
return !memcmp(correct, hmac, 32);
return smemeq(correct, hmac, 32);
}
static int sha256_verify(void *handle, unsigned char *blk, int len,
@ -315,7 +315,7 @@ static int sha256_verify(void *handle, unsigned char *blk, int len,
{
unsigned char correct[32];
sha256_do_hmac(handle, blk, len, seq, correct);
return !memcmp(correct, blk + len, 32);
return smemeq(correct, blk + len, 32);
}
const struct ssh_mac ssh_hmac_sha256 = {