[v9_9] timing safe memory comparisons

4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
			code. Also, the timing-safe comparison functions have
			been renamed to avoid possible confusion with
			memcmp(). [RT #40148]

(cherry picked from commit 420a43c8d8)

CHANGES

@@ -1,3 +1,8 @@
+4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
+			code. Also, the timing-safe comparison functions have
+			been renamed to avoid possible confusion with
+			memcmp(). [RT #40148]
+
 4182.	[cleanup]	Use mnemonics for RR class and type comparisons.
 			[RT #40297]
 

bin/dig/dighost.c

@@ -85,6 +85,7 @@
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/result.h>
+#include <isc/safe.h>
 #include <isc/serial.h>
 #include <isc/string.h>
 #include <isc/task.h>

bin/dnssec/dnssec-signzone.c

@@ -52,6 +52,7 @@
 #include <isc/random.h>
 #include <isc/rwlock.h>
 #include <isc/serial.h>
+#include <isc/safe.h>
 #include <isc/stdio.h>
 #include <isc/stdlib.h>
 #include <isc/string.h>
@@ -760,7 +761,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
 
 static int
 hashlist_comp(const void *a, const void *b) {
-	return (memcmp(a, b, hash_length + 1));
+	return (isc_safe_memcompare(a, b, hash_length + 1));
 }
 
 static void
@@ -787,7 +788,7 @@ hashlist_hasdup(hashlist_t *l) {
 		next += l->length;
 		if (next[l->length-1] != 0)
 			continue;
-		if (memcmp(current, next, l->length - 1) == 0)
+		if (isc_safe_memequal(current, next, l->length - 1))
 			return (ISC_TRUE);
 		current = next;
 	}
@@ -2011,7 +2012,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 		if (exists && nsec3.hash == hashalg &&
 		    nsec3.iterations == iterations &&
 		    nsec3.salt_length == salt_len &&
-		    !memcmp(nsec3.salt, salt, salt_len))
+		    isc_safe_memequal(nsec3.salt, salt, salt_len))
 			continue;
 		dns_rdatalist_init(&rdatalist);
 		rdatalist.rdclass = rdata.rdclass;
@@ -2670,7 +2671,7 @@ set_nsec3params(isc_boolean_t update, isc_boolean_t set_salt,
 
 	if (!update && set_salt) {
 		if (salt_length != orig_saltlen ||
-		    memcmp(saltbuf, orig_salt, salt_length) != 0)
+		    !isc_safe_memequal(saltbuf, orig_salt, salt_length))
 			fatal("An NSEC3 chain exists with a different salt. "
 			      "Use -u to update it.");
 	} else if (!set_salt) {

lib/dns/client.c

@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.14 2011/03/12 04:59:47 tbox Exp $ */
-
 #include <config.h>
 
 #include <stddef.h>
@@ -23,6 +21,7 @@
 #include <isc/app.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
+#include <isc/safe.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 #include <isc/task.h>

lib/dns/hmac_link.c

@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -417,7 +417,7 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -695,7 +695,7 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -975,7 +975,7 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -1255,7 +1255,7 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
@@ -1535,7 +1535,7 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH))
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH))
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);

lib/dns/nsec3.c

@@ -25,6 +25,7 @@
 #include <isc/log.h>
 #include <isc/string.h>
 #include <isc/util.h>
+#include <isc/safe.h>
 
 #include <dst/dst.h>
 
@@ -1929,7 +1930,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 	 * Work out what this NSEC3 covers.
 	 * Inside (<0) or outside (>=0).
 	 */
-	scope = memcmp(owner, nsec3.next, nsec3.next_length);
+	scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
 
 	/*
 	 * Prepare to compute all the hashes.
@@ -1954,7 +1955,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 			return (ISC_R_IGNORE);
 		}
 
-		order = memcmp(hash, owner, length);
+		order = isc_safe_memcompare(hash, owner, length);
 		if (first && order == 0) {
 			/*
 			 * The hashes are the same.

lib/dns/opensslgost_link.c

@@ -14,14 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opensslgost_link.c,v 1.5 2011/01/19 23:47:12 tbox Exp $ */
-
 #include <config.h>
 
 #ifdef HAVE_OPENSSL_GOST
 
 #include <isc/entropy.h>
 #include <isc/mem.h>
+#include <isc/safe.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -253,7 +252,7 @@ opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
 	p = der;
 	len = i2d_PUBKEY(pkey, &p);
 	INSIST(len == sizeof(der));
-	INSIST(memcmp(gost_prefix, der, 37) == 0);
+	INSIST(isc_safe_memequal(gost_prefix, der, 37));
 	memmove(r.base, der + 37, 64);
 	isc_buffer_add(data, 64);
 

lib/dns/opensslrsa_link.c

@@ -650,9 +650,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 						DST_R_VERIFYFAILURE));
 			if (status != (int)(prefixlen + digestlen))
 				return (DST_R_VERIFYFAILURE);
-			if (memcmp(original, prefix, prefixlen))
+			if (!isc_safe_memequal(original, prefix, prefixlen))
 				return (DST_R_VERIFYFAILURE);
-			if (memcmp(original + prefixlen, digest, digestlen))
+			if (!isc_safe_memequal(original + prefixlen,
+					    digest, digestlen))
 				return (DST_R_VERIFYFAILURE);
 			status = 1;
 		}

lib/dns/spnego.c

@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 /*! \file
  * \brief
  * Portable SPNEGO implementation.
@@ -146,6 +144,7 @@
 #include <isc/mem.h>
 #include <isc/once.h>
 #include <isc/random.h>
+#include <isc/safe.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
@@ -395,7 +394,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
 	if (((OM_uint32) *p++) != gssoid->length)
 		return (GSS_S_DEFECTIVE_TOKEN);
 
-	return (memcmp(p, gssoid->elements, gssoid->length));
+	return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
 }
 
 /* accept_sec_context.c */
@@ -635,16 +634,18 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
 			return (GSS_S_DEFECTIVE_TOKEN);
 		}
 		if (mech_len == GSS_KRB5_MECH->length &&
-		    memcmp(GSS_KRB5_MECH->elements,
-			   mechbuf + sizeof(mechbuf) - mech_len,
-			   mech_len) == 0) {
+		    isc_safe_memequal(GSS_KRB5_MECH->elements,
+				      mechbuf + sizeof(mechbuf) - mech_len,
+				      mech_len))
+		{
 			found = 1;
 			break;
 		}
 		if (mech_len == GSS_MSKRB5_MECH->length &&
-		    memcmp(GSS_MSKRB5_MECH->elements,
-			   mechbuf + sizeof(mechbuf) - mech_len,
-			   mech_len) == 0) {
+		    isc_safe_memequal(GSS_MSKRB5_MECH->elements,
+				      mechbuf + sizeof(mechbuf) - mech_len,
+				      mech_len))
+		{
 			found = 1;
 			if (i == 0)
 				pref = GSS_MSKRB5_MECH;
@@ -715,7 +716,7 @@ gssapi_verify_mech_header(u_char ** str,
 	p += foo;
 	if (mech_len != mech->length)
 		return (GSS_S_BAD_MECH);
-	if (memcmp(p, mech->elements, mech->length) != 0)
+	if (!isc_safe_memequal(p, mech->elements, mech->length))
 		return (GSS_S_BAD_MECH);
 	p += mech_len;
 	*str = p;
@@ -1668,7 +1669,7 @@ spnego_reply(OM_uint32 *minor_status,
 		buf = input_token->value;
 		buf_size = input_token->length;
 	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
-		   memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0)
+		   isc_safe_memequal(GSS_KRB5_MECH->elements, p, mech_len))
 		return (gss_init_sec_context(minor_status,
 					     initiator_cred_handle,
 					     context_handle,
@@ -1683,7 +1684,7 @@ spnego_reply(OM_uint32 *minor_status,
 					     ret_flags,
 					     time_rec));
 	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
-		 memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) {
+		 isc_safe_memequal(GSS_SPNEGO_MECH->elements, p, mech_len)) {
 		ret = gssapi_spnego_decapsulate(minor_status,
 						input_token,
 						&buf,
@@ -1721,9 +1722,9 @@ spnego_reply(OM_uint32 *minor_status,
 			  resp.supportedMech,
 			  &oidlen);
 	if (ret || oidlen != GSS_KRB5_MECH->length ||
-	    memcmp(oidbuf + sizeof(oidbuf) - oidlen,
-		   GSS_KRB5_MECH->elements,
-		   oidlen) != 0) {
+	    !isc_safe_memequal(oidbuf + sizeof(oidbuf) - oidlen,
+			      GSS_KRB5_MECH->elements, oidlen))
+	{
 		free_NegTokenResp(&resp);
 		return GSS_S_BAD_MECH;
 	}

lib/isc/hmacmd5.c

@@ -159,5 +159,5 @@ isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
 
 	REQUIRE(len <= ISC_MD5_DIGESTLENGTH);
 	isc_hmacmd5_sign(ctx, newdigest);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }

lib/isc/hmacsha.c

@@ -604,7 +604,7 @@ isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 
 	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
 	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }
 
 /*
@@ -617,7 +617,7 @@ isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len)
 
 	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
 	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }
 
 /*
@@ -630,7 +630,7 @@ isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len)
 
 	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
 	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }
 
 /*
@@ -643,7 +643,7 @@ isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len)
 
 	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
 	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }
 
 /*
@@ -656,5 +656,5 @@ isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len)
 
 	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
 	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
-	return (isc_safe_memcmp(digest, newdigest, len));
+	return (isc_safe_memequal(digest, newdigest, len));
 }

lib/isc/include/isc/safe.h

@@ -26,9 +26,17 @@
 ISC_LANG_BEGINDECLS
 
 isc_boolean_t
-isc_safe_memcmp(const void *s1, const void *s2, size_t n);
+isc_safe_memequal(const void *s1, const void *s2, size_t n);
 /*%<
- * Clone of libc memcmp() safe to differential timing attacks.
+ * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
+ * ISC_FALSE.
+ *
+ */
+
+int
+isc_safe_memcompare(const void *b1, const void *b2, size_t len);
+/*%<
+ * Clone of libc memcmp() which is safe to differential timing attacks.
  */
 
 ISC_LANG_ENDDECLS

lib/isc/safe.c

@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2014 Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,8 +15,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 /*! \file */
 
 #include <config.h>
@@ -28,7 +27,7 @@
 #endif
 
 isc_boolean_t
-isc_safe_memcmp(const void *s1, const void *s2, size_t n) {
+isc_safe_memequal(const void *s1, const void *s2, size_t n) {
 	isc_uint8_t acc = 0;
 
 	if (n != 0U) {
@@ -40,3 +39,30 @@ isc_safe_memcmp(const void *s1, const void *s2, size_t n) {
 	}
 	return (ISC_TF(acc == 0));
 }
+
+
+int
+isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
+        const unsigned char *p1 = b1, *p2 = b2;
+        size_t i;
+        int res = 0, done = 0;
+
+        for (i = 0; i < len; i++) {
+                /* lt is -1 if p1[i] < p2[i]; else 0. */
+                int lt = (p1[i] - p2[i]) >> CHAR_BIT;
+
+                /* gt is -1 if p1[i] > p2[i]; else 0. */
+                int gt = (p2[i] - p1[i]) >> CHAR_BIT;
+
+                /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
+                int cmp = lt - gt;
+
+                /* set res = cmp if !done. */
+                res |= cmp & ~done;
+
+                /* set done if p1[i] != p2[i]. */
+                done |= lt | gt;
+        }
+
+        return (res);
+}

lib/isc/tests/safe_test.c

@@ -28,25 +28,46 @@
 #include <isc/safe.h>
 #include <isc/util.h>
 
-ATF_TC(isc_safe_memcmp);
-ATF_TC_HEAD(isc_safe_memcmp, tc) {
-	atf_tc_set_md_var(tc, "descr", "safe memcmp()");
+ATF_TC(isc_safe_memequal);
+ATF_TC_HEAD(isc_safe_memequal, tc) {
+	atf_tc_set_md_var(tc, "descr", "safe memequal()");
 }
-ATF_TC_BODY(isc_safe_memcmp, tc) {
+ATF_TC_BODY(isc_safe_memequal, tc) {
 	UNUSED(tc);
 
-	ATF_CHECK(isc_safe_memcmp("test", "test", 4));
-	ATF_CHECK(!isc_safe_memcmp("test", "tesc", 4));
-	ATF_CHECK(isc_safe_memcmp("\x00\x00\x00\x00", "\x00\x00\x00\x00", 4));
-	ATF_CHECK(!isc_safe_memcmp("\x00\x00\x00\x00", "\x00\x00\x00\x01", 4));
-	ATF_CHECK(!isc_safe_memcmp("\x00\x00\x00\x02", "\x00\x00\x00\x00", 4));
+	ATF_CHECK(isc_safe_memequal("test", "test", 4));
+	ATF_CHECK(!isc_safe_memequal("test", "tesc", 4));
+	ATF_CHECK(isc_safe_memequal("\x00\x00\x00\x00",
+				    "\x00\x00\x00\x00", 4));
+	ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x00",
+				     "\x00\x00\x00\x01", 4));
+	ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x02",
+				     "\x00\x00\x00\x00", 4));
+}
+
+ATF_TC(isc_safe_memcompare);
+ATF_TC_HEAD(isc_safe_memcompare, tc) {
+	atf_tc_set_md_var(tc, "descr", "safe memcompare()");
+}
+ATF_TC_BODY(isc_safe_memcompare, tc) {
+	UNUSED(tc);
+
+	ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
+	ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
+	ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+				      "\x00\x00\x00\x00", 4) == 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+				      "\x00\x00\x00\x01", 4) < 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
+				      "\x00\x00\x00\x00", 4) > 0);
 }
 
 /*
  * Main
  */
 ATF_TP_ADD_TCS(tp) {
-	ATF_TP_ADD_TC(tp, isc_safe_memcmp);
+	ATF_TP_ADD_TC(tp, isc_safe_memequal);
+	ATF_TP_ADD_TC(tp, isc_safe_memcompare);
 	return (atf_no_error());
 }
-

lib/isccc/cc.c

@@ -313,8 +313,8 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
 	/*
 	 * Verify.
 	 */
-	if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5),
-			     digestb64, HMD5_LENGTH))
+	if (!isc_safe_memequal((unsigned char *) isccc_sexpr_tostring(hmd5),
+			       digestb64, HMD5_LENGTH))
 		return (ISCCC_R_BADAUTH);
 
 	return (ISC_R_SUCCESS);