diff options
author | Martin Willi <martin@revosec.ch> | 2015-04-11 15:25:21 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2015-04-14 11:53:31 +0200 |
commit | 71afe0a5567ff4cc51e536913f5c009700d3dcf8 (patch) | |
tree | c5c03feb81633cb4db597451c0d79043ee05e10c | |
parent | b833963270fbffe3186f5c71c7584c2347a44038 (diff) | |
download | strongswan-71afe0a5567ff4cc51e536913f5c009700d3dcf8.tar.bz2 strongswan-71afe0a5567ff4cc51e536913f5c009700d3dcf8.tar.xz |
utils: Use memeq_const() for all cryptographic purposes
-rw-r--r-- | src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_md5/eap_md5.c | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 5 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_sim/eap_sim_peer.c | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c | 3 | ||||
-rw-r--r-- | src/libradius/radius_message.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/crypto/signers/mac_signer.c | 3 | ||||
-rw-r--r-- | src/libstrongswan/plugins/af_alg/af_alg_signer.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/plugins/ccm/ccm_aead.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/plugins/gcm/gcm_aead.c | 2 | ||||
-rw-r--r-- | src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 5 |
12 files changed, 14 insertions, 22 deletions
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c index a71dae78a..e38ee5b70 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c @@ -87,7 +87,7 @@ METHOD(simaka_card_t, get_quintuplet, status_t, { return FAILED; } - if (!memeq(mac, xmac, AKA_MAC_LEN)) + if (!memeq_const(mac, xmac, AKA_MAC_LEN)) { DBG1(DBG_IKE, "received MAC does not match XMAC"); DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN); @@ -184,4 +184,3 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f) return &this->public; } - diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c index 0be122158..f272e1ec8 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c @@ -158,7 +158,7 @@ METHOD(simaka_provider_t, resync, bool, { return FALSE; } - if (!memeq(macs, xmacs, AKA_MAC_LEN)) + if (!memeq_const(macs, xmacs, AKA_MAC_LEN)) { DBG1(DBG_IKE, "received MACS does not match XMACS"); DBG3(DBG_IKE, "MACS %b XMACS %b", @@ -205,4 +205,3 @@ eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create( return &this->public; } - diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index b2640d104..d314e7a9e 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -193,7 +193,7 @@ METHOD(eap_method_t, process_server, status_t, } response = chunk_create(data.ptr + 6, data.ptr[5]); if (response.len < expected.len || - !memeq(response.ptr, expected.ptr, expected.len)) + !memeq_const(response.ptr, expected.ptr, expected.len)) { chunk_free(&expected); DBG1(DBG_IKE, "EAP-MD5 verification failed"); @@ -299,4 +299,3 @@ eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer) return &this->public; } - diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 511506869..688b816ca 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -1087,8 +1087,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this, userid->destroy(userid); chunk_clear(&nt_hash); - if (memeq(res->response.nt_response, this->nt_response.ptr, - this->nt_response.len)) + if (memeq_const(res->response.nt_response, this->nt_response.ptr, + this->nt_response.len)) { chunk_t hex; char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)]; @@ -1267,4 +1267,3 @@ eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identificatio return &this->public; } - diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c index ff96e9279..2637b4314 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c @@ -310,7 +310,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this, /* excepting two or three RAND, each 16 bytes. We require two valid * and different RANDs */ if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) || - memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) + memeq_const(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) { DBG1(DBG_IKE, "no valid AT_RAND received"); if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out)) @@ -734,4 +734,3 @@ eap_sim_peer_t *eap_sim_peer_create(identification_t *server, return &this->public; } - diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c index bd47e5085..0a6aec083 100644 --- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c +++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c @@ -52,7 +52,7 @@ METHOD(simaka_card_t, get_triplet, bool, c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN); if (id->matches(id, cand)) { - if (memeq(c_rand, rand, SIM_RAND_LEN)) + if (memeq_const(c_rand, rand, SIM_RAND_LEN)) { DBG2(DBG_CFG, " => triplet matches"); memcpy(sres, c_sres, SIM_SRES_LEN); @@ -105,4 +105,3 @@ eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets) return &this->public; } - diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c index 3905a06c7..e6abfe2c2 100644 --- a/src/libradius/radius_message.c +++ b/src/libradius/radius_message.c @@ -536,7 +536,7 @@ METHOD(radius_message_t, verify, bool, /* verify Response-Authenticator */ if (!hasher->get_hash(hasher, msg, NULL) || !hasher->get_hash(hasher, secret, buf) || - !memeq(buf, res_auth, HASH_SIZE_MD5)) + !memeq_const(buf, res_auth, HASH_SIZE_MD5)) { DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed"); return FALSE; diff --git a/src/libstrongswan/crypto/signers/mac_signer.c b/src/libstrongswan/crypto/signers/mac_signer.c index 7c52aa305..1094c4473 100644 --- a/src/libstrongswan/crypto/signers/mac_signer.c +++ b/src/libstrongswan/crypto/signers/mac_signer.c @@ -85,7 +85,7 @@ METHOD(signer_t, verify_signature, bool, return FALSE; } return this->mac->get_mac(this->mac, data, mac) && - memeq(signature.ptr, mac, this->truncation); + memeq_const(signature.ptr, mac, this->truncation); } METHOD(signer_t, get_key_size, size_t, @@ -136,4 +136,3 @@ signer_t *mac_signer_create(mac_t *mac, size_t len) return &this->public; } - diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c index 9ad01103a..1403144ab 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c @@ -138,7 +138,7 @@ METHOD(signer_t, verify_signature, bool, { return FALSE; } - return memeq(signature.ptr, sig, signature.len); + return memeq_const(signature.ptr, sig, signature.len); } METHOD(signer_t, get_key_size, size_t, diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c index 6d4b2e13c..676d67681 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.c +++ b/src/libstrongswan/plugins/ccm/ccm_aead.c @@ -256,7 +256,7 @@ static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, char buf[this->icv_size]; return create_icv(this, plain, assoc, iv, buf) && - memeq(buf, icv, this->icv_size); + memeq_const(buf, icv, this->icv_size); } METHOD(aead_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c index 4ab17017f..6e1694a34 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.c +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -276,7 +276,7 @@ static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, char tmp[this->icv_size]; return create_icv(this, assoc, crypt, j, tmp) && - memeq(tmp, icv, this->icv_size); + memeq_const(tmp, icv, this->icv_size); } METHOD(aead_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index ad659e4d7..e738908e2 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -187,7 +187,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, " %u bytes", em.len, data.len); goto end; } - success = memeq(em.ptr, data.ptr, data.len); + success = memeq_const(em.ptr, data.ptr, data.len); } else { /* IKEv2 and X.509 certificate signatures */ @@ -258,7 +258,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, goto end_parser; } hasher->destroy(hasher); - success = memeq(object.ptr, hash.ptr, hash.len); + success = memeq_const(object.ptr, hash.ptr, hash.len); free(hash.ptr); break; } @@ -500,4 +500,3 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) return &this->public; } - |