utils: Use chunk_equals_const() for all cryptographic purposes
authorMartin Willi <martin@revosec.ch>
Sat, 11 Apr 2015 13:56:42 +0000 (15:56 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 14 Apr 2015 10:02:51 +0000 (12:02 +0200)
23 files changed:
src/libcharon/encoding/message.c
src/libcharon/network/receiver.c
src/libcharon/plugins/eap_aka/eap_aka_server.c
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
src/libcharon/plugins/eap_sim/eap_sim_server.c
src/libcharon/plugins/xauth_generic/xauth_generic.c
src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
src/libcharon/sa/ikev2/tasks/ike_mobike.c
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libimcv/pts/components/ita/ita_comp_ima.c
src/libimcv/pts/components/ita/ita_comp_tboot.c
src/libimcv/pts/components/ita/ita_comp_tgrub.c
src/libimcv/pts/pts_database.c
src/libimcv/pts/pts_file_meas.c
src/libpttls/sasl/sasl_plain/sasl_plain.c
src/libstrongswan/plugins/openssl/openssl_pkcs7.c
src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
src/libtls/tls_peer.c
src/libtls/tls_server.c

index 0a596ff..e51c946 100644 (file)
@@ -2625,7 +2625,7 @@ METHOD(message_t, parse_body, status_t,
                        other_hash = hash_payload->get_hash(hash_payload);
                        DBG3(DBG_ENC, "HASH received %B\nHASH expected %B",
                                 &other_hash, &hash);
-                       if (!chunk_equals(hash, other_hash))
+                       if (!chunk_equals_const(hash, other_hash))
                        {
                                DBG1(DBG_ENC, "received HASH payload does not match");
                                chunk_free(&hash);
index 5ce9471..6902c48 100644 (file)
@@ -247,7 +247,7 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
        {
                return FALSE;
        }
-       if (chunk_equals(reference, cookie))
+       if (chunk_equals_const(reference, cookie))
        {
                chunk_free(&reference);
                return TRUE;
index eba7af8..04bfc17 100644 (file)
@@ -425,7 +425,7 @@ static status_t process_challenge(private_eap_aka_server_t *this,
        enumerator->destroy(enumerator);
 
        /* compare received RES against stored XRES */
-       if (!chunk_equals(res, this->xres))
+       if (!chunk_equals_const(res, this->xres))
        {
                DBG1(DBG_IKE, "received RES does not match XRES");
                return FAILED;
@@ -486,7 +486,7 @@ static status_t process_reauthentication(private_eap_aka_server_t *this,
                this->crypto->clear_keys(this->crypto);
                return challenge(this, out);
        }
-       if (!chunk_equals(counter, this->counter))
+       if (!chunk_equals_const(counter, this->counter))
        {
                DBG1(DBG_IKE, "received counter does not match");
                return FAILED;
@@ -730,4 +730,3 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 
        return &this->public;
 }
-
index 688b816..f7f39f9 100644 (file)
@@ -812,7 +812,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
                goto error;
        }
 
-       if (!chunk_equals(this->auth_response, auth_string))
+       if (!chunk_equals_const(this->auth_response, auth_string))
        {
                DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
                goto error;
index f22266b..5aa54db 100644 (file)
@@ -262,7 +262,7 @@ static status_t process_reauthentication(private_eap_sim_server_t *this,
                this->crypto->clear_keys(this->crypto);
                return initiate(this, out);
        }
-       if (!chunk_equals(counter, this->counter))
+       if (!chunk_equals_const(counter, this->counter))
        {
                DBG1(DBG_IKE, "received counter does not match");
                return FAILED;
@@ -644,4 +644,3 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
 
        return &this->public;
 }
-
index c37da0c..e65d1a1 100644 (file)
@@ -180,7 +180,7 @@ METHOD(xauth_method_t, process_server, status_t,
                                                                                SHARED_EAP, this->server, this->peer);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
-               if (chunk_equals(shared->get_key(shared), pass))
+               if (chunk_equals_const(shared->get_key(shared), pass))
                {
                        status = SUCCESS;
                        break;
index bb187f0..5debeeb 100644 (file)
@@ -124,7 +124,7 @@ METHOD(authenticator_t, process, status_t,
                return FAILED;
        }
        free(dh.ptr);
-       if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
+       if (chunk_equals_const(hash, hash_payload->get_hash(hash_payload)))
        {
                free(hash.ptr);
                if (!this->hybrid)
index ebef319..f144209 100644 (file)
@@ -464,7 +464,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
                return FALSE;
        }
        recv_auth_data = auth_payload->get_data(auth_payload);
-       if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+       if (!auth_data.len || !chunk_equals_const(auth_data, recv_auth_data))
        {
                DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
                         this->msk.ptr ? "" : "out");
index c6a4b6b..5355810 100644 (file)
@@ -123,7 +123,7 @@ METHOD(authenticator_t, process, status_t,
                {
                        continue;
                }
-               if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
+               if (auth_data.len && chunk_equals_const(auth_data, recv_auth_data))
                {
                        DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
                                 other_id, auth_method_names, AUTH_PSK);
index 6295d79..11b0bb2 100644 (file)
@@ -537,7 +537,7 @@ METHOD(task_t, process_i, status_t,
                        cookie2 = this->cookie2;
                        this->cookie2 = chunk_empty;
                        process_payloads(this, message);
-                       if (!chunk_equals(cookie2, this->cookie2))
+                       if (!chunk_equals_const(cookie2, this->cookie2))
                        {
                                chunk_free(&cookie2);
                                DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
index fbeb661..c3e053d 100644 (file)
@@ -181,7 +181,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid);
                        keyid_hex = chunk_to_hex(keyid, NULL, FALSE);
                        if (session->get_device_id(session, &device_id) &&
-                               chunk_equals(keyid_hex, device_id))
+                               chunk_equals_const(keyid_hex, device_id))
                        {
                                trusted = session->get_device_trust(session);
                        }
@@ -290,7 +290,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
                                                /* check hashes from database against measurements */
                                                e = pts_db->create_file_hash_enumerator(pts_db,
-                                                                                       pts->get_platform_id(pts), 
+                                                                                       pts->get_platform_id(pts),
                                                                                        algo, is_dir, arg_int);
                                                if (!e)
                                                {
@@ -446,7 +446,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                                        return FALSE;
                                }
 
-                               if (!chunk_equals(pcr_comp, pcr_composite))
+                               if (!chunk_equals_const(pcr_comp, pcr_composite))
                                {
                                        DBG1(DBG_IMV, "received PCR Composite does not match "
                                                                  "constructed one");
@@ -564,4 +564,3 @@ quote_error:
        }
        return TRUE;
 }
-
index 3f92b04..448ca9f 100644 (file)
@@ -307,7 +307,7 @@ static bool check_boot_aggregate(pts_pcr_t *pcrs, chunk_t measurement,
        }
        if (pcr_ok)
        {
-               success = chunk_equals(boot_aggregate, measurement);
+               success = chunk_equals_const(boot_aggregate, measurement);
                DBG1(DBG_PTS, "boot aggregate value is %scorrect",
                                           success ? "":"in");
                return success;
@@ -693,7 +693,7 @@ METHOD(pts_component_t, verify, status_t,
                                                        status = FAILED;
                                                        break;
                                                }
-                                               if (chunk_equals(measurement, hash))
+                                               if (chunk_equals_const(measurement, hash))
                                                {
                                                        status = SUCCESS;
                                                        break;
@@ -748,7 +748,7 @@ METHOD(pts_component_t, verify, status_t,
        has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
        if (has_pcr_info)
        {
-               if (!chunk_equals(pcr_before, pcrs->get(pcrs, pcr)))
+               if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, pcr)))
                {
                        DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value",
                                                   pcr);
@@ -876,7 +876,7 @@ METHOD(pts_component_t, destroy, void,
                DESTROY_IF(this->bios_list);
                DESTROY_IF(this->ima_list);
                this->name->destroy(this->name);
-               
+
                free(this);
        }
 }
@@ -911,4 +911,3 @@ pts_component_t *pts_ita_comp_ima_create(uint32_t depth,
 
        return &this->public;
 }
-
index ce318ec..3d990f6 100644 (file)
@@ -249,7 +249,7 @@ METHOD(pts_component_t, verify, status_t,
        has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
        if (has_pcr_info)
        {
-               if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr)))
+               if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr)))
                {
                        DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value",
                                                   extended_pcr);
@@ -354,4 +354,3 @@ pts_component_t *pts_ita_comp_tboot_create(u_int32_t depth,
 
        return &this->public;
 }
-
index 097e4c8..e955572 100644 (file)
@@ -141,7 +141,7 @@ METHOD(pts_component_t, verify, status_t,
        has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
        if (has_pcr_info)
        {
-               if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr)))
+               if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr)))
                {
                        DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to pcr value");
                }
index d7b85c1..1a4c421 100644 (file)
@@ -187,7 +187,7 @@ METHOD(pts_database_t, add_file_measurement, status_t,
        }
        if (e->enumerate(e, &hash_id, &hash_value))
        {
-               if (!chunk_equals(measurement, hash_value))
+               if (!chunk_equals_const(measurement, hash_value))
                {
                        /* update hash measurement value */
                        if (this->db->execute(this->db, &hash_id,
@@ -289,7 +289,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 
        while (e->enumerate(e, &hash))
        {
-               if (chunk_equals(hash, measurement))
+               if (chunk_equals_const(hash, measurement))
                {
                        status = SUCCESS;
                        break;
index 478892a..966d54b 100644 (file)
@@ -133,7 +133,7 @@ METHOD(pts_file_meas_t, check, bool,
                {
                        while (e->enumerate(e, &hash))
                        {
-                               if (chunk_equals(entry->measurement, hash))
+                               if (chunk_equals_const(entry->measurement, hash))
                                {
                                        status = SUCCESS;
                                        break;
@@ -223,7 +223,7 @@ METHOD(pts_file_meas_t, verify, bool,
                                }
                        }
 
-                       /* no PTS measurement returned for this filename */ 
+                       /* no PTS measurement returned for this filename */
                        if (!found)
                        {
                                success = FALSE;
@@ -234,7 +234,7 @@ METHOD(pts_file_meas_t, verify, bool,
 
                if (found && !match)
                {
-                       if (chunk_equals(measurement, entry->measurement))
+                       if (chunk_equals_const(measurement, entry->measurement))
                        {
                                match = TRUE;
                                DBG2(DBG_PTS, "  %#B for '%s' is ok",
@@ -252,7 +252,7 @@ METHOD(pts_file_meas_t, verify, bool,
                         &entry->measurement, entry->filename);
                        enumerator->destroy(enumerator);
        }
-       
+
        return success;
 }
 
index 019c1b0..b2d30e6 100644 (file)
@@ -86,7 +86,7 @@ METHOD(sasl_mechanism_t, process_server, status_t,
                DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client);
                return FAILED;
        }
-       if (!chunk_equals(shared->get_key(shared), password))
+       if (!chunk_equals_const(shared->get_key(shared), password))
        {
                DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client);
                shared->destroy(shared);
index 9c3c404..891e829 100644 (file)
@@ -305,7 +305,7 @@ static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid
        }
        hasher->destroy(hasher);
 
-       if (!chunk_equals(digest, hash))
+       if (!chunk_equals_const(digest, hash))
        {
                free(hash.ptr);
                DBG1(DBG_LIB, "invalid messageDigest");
index 9748e28..aa54d3b 100644 (file)
@@ -74,7 +74,7 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
                                                                 RSA_PKCS1_PADDING);
                if (len != -1)
                {
-                       valid = chunk_equals(data, chunk_create(buf, len));
+                       valid = chunk_equals_const(data, chunk_create(buf, len));
                }
                free(buf);
        }
index 379f247..4441b27 100644 (file)
@@ -356,7 +356,7 @@ static bool verify_mac(hash_algorithm_t hash, chunk_t salt,
                {
                        break;
                }
-               if (chunk_equals(mac, calculated))
+               if (chunk_equals_const(mac, calculated))
                {
                        success = TRUE;
                        break;
index 48fb5e6..d224ef3 100644 (file)
@@ -269,7 +269,7 @@ METHOD(enumerator_t, enumerate, bool,
                hasher->destroy(hasher);
                DBG3(DBG_LIB, "hash: %B", &hash);
 
-               valid = chunk_equals(chunk, hash);
+               valid = chunk_equals_const(chunk, hash);
                free(hash.ptr);
                if (!valid)
                {
index e6be36b..86b94ab 100644 (file)
@@ -641,7 +641,7 @@ static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader)
                this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return NEED_MORE;
        }
-       if (!chunk_equals(received, chunk_from_thing(buf)))
+       if (!chunk_equals_const(received, chunk_from_thing(buf)))
        {
                DBG1(DBG_TLS, "received server finished invalid");
                this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
index b1a214f..f9295a1 100644 (file)
@@ -607,7 +607,7 @@ static status_t process_finished(private_tls_server_t *this,
                this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return NEED_MORE;
        }
-       if (!chunk_equals(received, chunk_from_thing(buf)))
+       if (!chunk_equals_const(received, chunk_from_thing(buf)))
        {
                DBG1(DBG_TLS, "received client finished invalid");
                this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);