system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-09-06 17:18:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

these are comparing authenticators and need to be constant time...

Browse source 
This could be a side channel attack...  Now that we have a function
for this, use it...

jmgurney/ipsecgcm:	24d704cc and 7f37a14
This commit is contained in:
John-Mark Gurney 2015-07-31 00:31:52 +00:00
parent 817c7ed900
commit 42e5fcbf2b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=286101
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/netipsec/xform_ah.c
View file

@ -777,7 +777,7 @@ ah_input_cb(struct cryptop *crp)
/* Verify authenticator. */
ptr = (caddr_t) (tc + 1);
if (bcmp(ptr + skip + rplen, calc, authsize)) {
if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
DPRINTF(("%s: authentication hash mismatch for packet "
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst, buf, sizeof(buf)),

2
sys/netipsec/xform_esp.c
View file

@ -534,7 +534,7 @@ esp_input_cb(struct cryptop *crp)
ptr = (caddr_t) (tc + 1);
/* Verify authenticator */
if (bcmp(ptr, aalg, alen) != 0) {
if (timingsafe_bcmp(ptr, aalg, alen) != 0) {
DPRINTF(("%s: authentication hash mismatch for "
"packet in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst, buf, sizeof(buf)),