utils: Use memeq_const() for all cryptographic purposes
authorMartin Willi <martin@revosec.ch>
Sat, 11 Apr 2015 13:25:21 +0000 (15:25 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 14 Apr 2015 09:53:31 +0000 (11:53 +0200)
12 files changed:
src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
src/libcharon/plugins/eap_md5/eap_md5.c
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
src/libcharon/plugins/eap_sim/eap_sim_peer.c
src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c
src/libradius/radius_message.c
src/libstrongswan/crypto/signers/mac_signer.c
src/libstrongswan/plugins/af_alg/af_alg_signer.c
src/libstrongswan/plugins/ccm/ccm_aead.c
src/libstrongswan/plugins/gcm/gcm_aead.c
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c

index a71dae7..e38ee5b 100644 (file)
@@ -87,7 +87,7 @@ METHOD(simaka_card_t, get_quintuplet, status_t,
        {
                return FAILED;
        }
-       if (!memeq(mac, xmac, AKA_MAC_LEN))
+       if (!memeq_const(mac, xmac, AKA_MAC_LEN))
        {
                DBG1(DBG_IKE, "received MAC does not match XMAC");
                DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN);
@@ -184,4 +184,3 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
 
        return &this->public;
 }
-
index 0be1221..f272e1e 100644 (file)
@@ -158,7 +158,7 @@ METHOD(simaka_provider_t, resync, bool,
        {
                return FALSE;
        }
-       if (!memeq(macs, xmacs, AKA_MAC_LEN))
+       if (!memeq_const(macs, xmacs, AKA_MAC_LEN))
        {
                DBG1(DBG_IKE, "received MACS does not match XMACS");
                DBG3(DBG_IKE, "MACS %b XMACS %b",
@@ -205,4 +205,3 @@ eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
 
        return &this->public;
 }
-
index b2640d1..d314e7a 100644 (file)
@@ -193,7 +193,7 @@ METHOD(eap_method_t, process_server, status_t,
        }
        response = chunk_create(data.ptr + 6, data.ptr[5]);
        if (response.len < expected.len ||
-               !memeq(response.ptr, expected.ptr, expected.len))
+               !memeq_const(response.ptr, expected.ptr, expected.len))
        {
                chunk_free(&expected);
                DBG1(DBG_IKE, "EAP-MD5 verification failed");
@@ -299,4 +299,3 @@ eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
 
        return &this->public;
 }
-
index 5115068..688b816 100644 (file)
@@ -1087,8 +1087,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
        userid->destroy(userid);
        chunk_clear(&nt_hash);
 
-       if (memeq(res->response.nt_response, this->nt_response.ptr,
-                         this->nt_response.len))
+       if (memeq_const(res->response.nt_response, this->nt_response.ptr,
+                                       this->nt_response.len))
        {
                chunk_t hex;
                char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
@@ -1267,4 +1267,3 @@ eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identificatio
 
        return &this->public;
 }
-
index ff96e92..2637b43 100644 (file)
@@ -310,7 +310,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
        /* excepting two or three RAND, each 16 bytes. We require two valid
         * and different RANDs */
        if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) ||
-               memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
+               memeq_const(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
        {
                DBG1(DBG_IKE, "no valid AT_RAND received");
                if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out))
@@ -734,4 +734,3 @@ eap_sim_peer_t *eap_sim_peer_create(identification_t *server,
 
        return &this->public;
 }
-
index bd47e50..0a6aec0 100644 (file)
@@ -52,7 +52,7 @@ METHOD(simaka_card_t, get_triplet, bool,
                         c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN);
                if (id->matches(id, cand))
                {
-                       if (memeq(c_rand, rand, SIM_RAND_LEN))
+                       if (memeq_const(c_rand, rand, SIM_RAND_LEN))
                        {
                                DBG2(DBG_CFG, "  => triplet matches");
                                memcpy(sres, c_sres, SIM_SRES_LEN);
@@ -105,4 +105,3 @@ eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
 
        return &this->public;
 }
-
index 3905a06..e6abfe2 100644 (file)
@@ -536,7 +536,7 @@ METHOD(radius_message_t, verify, bool,
                /* verify Response-Authenticator */
                if (!hasher->get_hash(hasher, msg, NULL) ||
                        !hasher->get_hash(hasher, secret, buf) ||
-                       !memeq(buf, res_auth, HASH_SIZE_MD5))
+                       !memeq_const(buf, res_auth, HASH_SIZE_MD5))
                {
                        DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
                        return FALSE;
index 7c52aa3..1094c44 100644 (file)
@@ -85,7 +85,7 @@ METHOD(signer_t, verify_signature, bool,
                return FALSE;
        }
        return this->mac->get_mac(this->mac, data, mac) &&
-                  memeq(signature.ptr, mac, this->truncation);
+                  memeq_const(signature.ptr, mac, this->truncation);
 }
 
 METHOD(signer_t, get_key_size, size_t,
@@ -136,4 +136,3 @@ signer_t *mac_signer_create(mac_t *mac, size_t len)
 
        return &this->public;
 }
-
index 9ad0110..1403144 100644 (file)
@@ -138,7 +138,7 @@ METHOD(signer_t, verify_signature, bool,
        {
                return FALSE;
        }
-       return memeq(signature.ptr, sig, signature.len);
+       return memeq_const(signature.ptr, sig, signature.len);
 }
 
 METHOD(signer_t, get_key_size, size_t,
index 6d4b2e1..676d676 100644 (file)
@@ -256,7 +256,7 @@ static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
        char buf[this->icv_size];
 
        return create_icv(this, plain, assoc, iv, buf) &&
-                  memeq(buf, icv, this->icv_size);
+                  memeq_const(buf, icv, this->icv_size);
 }
 
 METHOD(aead_t, encrypt, bool,
index 4ab1701..6e1694a 100644 (file)
@@ -276,7 +276,7 @@ static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
        char tmp[this->icv_size];
 
        return create_icv(this, assoc, crypt, j, tmp) &&
-                  memeq(tmp, icv, this->icv_size);
+                  memeq_const(tmp, icv, this->icv_size);
 }
 
 METHOD(aead_t, encrypt, bool,
index ad659e4..e738908 100644 (file)
@@ -187,7 +187,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
                                 " %u bytes", em.len, data.len);
                        goto end;
                }
-               success = memeq(em.ptr, data.ptr, data.len);
+               success = memeq_const(em.ptr, data.ptr, data.len);
        }
        else
        {   /* IKEv2 and X.509 certificate signatures */
@@ -258,7 +258,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
                                                goto end_parser;
                                        }
                                        hasher->destroy(hasher);
-                                       success = memeq(object.ptr, hash.ptr, hash.len);
+                                       success = memeq_const(object.ptr, hash.ptr, hash.len);
                                        free(hash.ptr);
                                        break;
                                }
@@ -500,4 +500,3 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 
        return &this->public;
 }
-