diff options
| author | Matthieu Herrb <matthieu@herrb.eu> | 2017-02-28 19:18:25 +0100 |
|---|---|---|
| committer | Adam Jackson <ajax@redhat.com> | 2017-02-28 14:18:26 -0500 |
| commit | 3f61c7a09b220805ee6778f4bf2f429e3df8e37a (patch) | |
| tree | 4b119438f15df58a307b668a34cb7bbac6eb4566 /os | |
| parent | b5c98aa6779b97882246b03c5dea646bd1355991 (diff) | |
Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624
Provide the function definition for systems that don't have it.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c)
Diffstat (limited to 'os')
| -rw-r--r-- | os/mitauth.c | 2 | ||||
| -rw-r--r-- | os/timingsafe_memcmp.c | 45 |
2 files changed, 46 insertions, 1 deletions
diff --git a/os/mitauth.c b/os/mitauth.c index 768a52a22..efae4404c 100644 --- a/os/mitauth.c +++ b/os/mitauth.c @@ -76,7 +76,7 @@ MitCheckCookie(unsigned short data_length, for (auth = mit_auth; auth; auth = auth->next) { if (data_length == auth->len && - memcmp(data, auth->data, (int) data_length) == 0) + timingsafe_memcmp(data, auth->data, (int) data_length) == 0) return auth->id; } *reason = "Invalid MIT-MAGIC-COOKIE-1 key"; diff --git a/os/timingsafe_memcmp.c b/os/timingsafe_memcmp.c new file mode 100644 index 000000000..36ab362a7 --- /dev/null +++ b/os/timingsafe_memcmp.c @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2014 Google Inc. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <limits.h> +#include <string.h> + +int +timingsafe_memcmp(const void *b1, const void *b2, size_t len) +{ + const unsigned char *p1 = b1, *p2 = b2; + size_t i; + int res = 0, done = 0; + + for (i = 0; i < len; i++) { + /* lt is -1 if p1[i] < p2[i]; else 0. */ + int lt = (p1[i] - p2[i]) >> CHAR_BIT; + + /* gt is -1 if p1[i] > p2[i]; else 0. */ + int gt = (p2[i] - p1[i]) >> CHAR_BIT; + + /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ + int cmp = lt - gt; + + /* set res = cmp if !done. */ + res |= cmp & ~done; + + /* set done if p1[i] != p2[i]. */ + done |= lt | gt; + } + + return (res); +} |