- djm@cvs.openbsd.org 2010/07/13 11:52:06
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
[packet.c ssh-rsa.c]
implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@
diff --git a/ssh-rsa.c b/ssh-rsa.c
index bb9cc8e..01f27f5 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.41 2010/04/16 01:47:26 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.42 2010/07/13 11:52:06 djm Exp $ */
/*
* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
*
@@ -30,6 +30,7 @@
#include "buffer.h"
#include "key.h"
#include "compat.h"
+#include "misc.h"
#include "ssh.h"
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
@@ -249,11 +250,11 @@
error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
goto done;
}
- if (memcmp(decrypted, oid, oidlen) != 0) {
+ if (timing_safe_cmp(decrypted, oid, oidlen) != 0) {
error("oid mismatch");
goto done;
}
- if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
+ if (timing_safe_cmp(decrypted + oidlen, hash, hlen) != 0) {
error("hash mismatch");
goto done;
}