Commit 15696fe6 authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'const_time_memcmp' into 'master'

contrib: add constant time memory comparison

See merge request !817
parents 5d1e6019 cfeead3d
......@@ -91,3 +91,14 @@ char *strstrip(const char *str)
return trimmed;
}
int const_time_memcmp(const void *s1, const void *s2, size_t n)
{
volatile uint8_t equal = 0;
for (size_t i = 0; i < n; i++) {
equal |= ((uint8_t *)s1)[i] ^ ((uint8_t *)s2)[i];
}
return equal;
}
......@@ -61,4 +61,16 @@ char *strcdup(const char *s1, const char *s2);
*/
char *strstrip(const char *str);
/*!
* \brief Compare data in time based on string length.
* This function just checks for (in)equality not for relation
*
* \param s1 The first address to compare.
* \param s2 The second address to compare.
* \param n The size of memory to compare.
*
* \return Non zero on difference and zero if the buffers are identical.
*/
int const_time_memcmp(const void *s1, const void *s2, size_t n);
/*! @} */
......@@ -29,6 +29,7 @@
#include "libknot/packet/wire.h"
#include "libknot/consts.h"
#include "libknot/packet/rrset-wire.h"
#include "contrib/string.h"
#include "contrib/wire.h"
const int KNOT_TSIG_MAX_DIGEST_SIZE = 64; // size of HMAC-SHA512 digest
......@@ -581,7 +582,7 @@ static int check_digest(const knot_rrset_t *tsig_rr,
return KNOT_TSIG_EBADSIG;
}
if (memcmp(tsig_mac, digest_tmp, mac_length) != 0) {
if (const_time_memcmp(tsig_mac, digest_tmp, mac_length) != 0) {
return KNOT_TSIG_EBADSIG;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment