0

Make constant-time comparison operators for cryptographic uses public.

Review URL: http://codereview.chromium.org/8124011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@104502 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
palmer@chromium.org
2011-10-07 17:02:48 +00:00
parent 11da0c8d10
commit 3cdf6d4593
4 changed files with 54 additions and 21 deletions

@ -149,6 +149,8 @@
'secure_hash.h',
'secure_hash_default.cc',
'secure_hash_openssl.cc',
'secure_util.cc',
'secure_util.h',
'sha2.cc',
'sha2.h',
'signature_creator.h',

@ -7,28 +7,10 @@
#include <algorithm>
#include "base/logging.h"
#include "crypto/secure_util.h"
namespace crypto {
// Performs a constant-time comparison of two strings, returning true if the
// strings are equal.
//
// For cryptographic operations, comparison functions such as memcmp() may
// expose side-channel information about input, allowing an attacker to
// perform timing analysis to determine what the expected bits should be. In
// order to avoid such attacks, the comparison must execute in constant time,
// so as to not to reveal to the attacker where the difference(s) are.
// For an example attack, see
// http://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13
static bool SecureMemcmp(const void* s1, const void* s2, size_t n) {
const unsigned char* s1_ptr = reinterpret_cast<const unsigned char*>(s1);
const unsigned char* s2_ptr = reinterpret_cast<const unsigned char*>(s2);
unsigned char tmp = 0;
for (size_t i = 0; i < n; ++i, ++s1_ptr, ++s2_ptr)
tmp |= *s1_ptr ^ *s2_ptr;
return (tmp == 0);
}
size_t HMAC::DigestLength() const {
switch (hash_alg_) {
case SHA1:
@ -58,8 +40,8 @@ bool HMAC::VerifyTruncated(const base::StringPiece& data,
if (!Sign(data, computed_digest.get(), static_cast<int>(digest_length)))
return false;
return SecureMemcmp(digest.data(), computed_digest.get(),
std::min(digest.size(), digest_length));
return SecureMemEqual(digest.data(), computed_digest.get(),
std::min(digest.size(), digest_length));
}
} // namespace crypto

19
crypto/secure_util.cc Normal file

@ -0,0 +1,19 @@
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crypto/secure_util.h"
namespace crypto {
bool SecureMemEqual(const void* s1, const void* s2, size_t n) {
const unsigned char* s1_ptr = reinterpret_cast<const unsigned char*>(s1);
const unsigned char* s2_ptr = reinterpret_cast<const unsigned char*>(s2);
unsigned char tmp = 0;
for (size_t i = 0; i < n; ++i, ++s1_ptr, ++s2_ptr)
tmp |= *s1_ptr ^ *s2_ptr;
return (tmp == 0);
}
} // namespace crypto

30
crypto/secure_util.h Normal file

@ -0,0 +1,30 @@
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CRYPTO_SECURE_UTIL_H_
#define CRYPTO_SECURE_UTIL_H_
#pragma once
#include <stddef.h>
#include "crypto/crypto_export.h"
namespace crypto {
// Performs a constant-time comparison of two strings, returning true if the
// strings are equal.
//
// For cryptographic operations, comparison functions such as memcmp() may
// expose side-channel information about input, allowing an attacker to
// perform timing analysis to determine what the expected bits should be. In
// order to avoid such attacks, the comparison must execute in constant time,
// so as to not to reveal to the attacker where the difference(s) are.
// For an example attack, see
// http://groups.google.com/group/keyczar-discuss/browse_thread/thread/5571eca0948b2a13
CRYPTO_EXPORT bool SecureMemEqual(const void* s1, const void* s2, size_t n);
} // namespace crypto
#endif // CRYPTO_SECURE_UTIL_H_