these are comparing authenticators and need to be constant time...

This could be a side channel attack...  Now that we have a function
for this, use it...

jmgurney/ipsecgcm:	24d704cc and 7f37a14

diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index ae0feb9f627a9c09f1dc1d0da5d3764d38250884..350a735a89b3c3f37e00a2aa7cc75127830f94c6 100644 (file)
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -777,7 +777,7 @@ ah_input_cb(struct cryptop *crp)
 
        /* Verify authenticator. */
        ptr = (caddr_t) (tc + 1);
-       if (bcmp(ptr + skip + rplen, calc, authsize)) {
+       if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) {
                DPRINTF(("%s: authentication hash mismatch for packet "
                    "in SA %s/%08lx\n", __func__,
                    ipsec_address(&saidx->dst, buf, sizeof(buf)),

diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 67551caef43e58a46011a104b20d06ee98c96657..d8182dfdf5887ffb6319d4fb1b2b5e6e476722b6 100644 (file)
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -534,7 +534,7 @@ esp_input_cb(struct cryptop *crp)
                ptr = (caddr_t) (tc + 1);
 
                /* Verify authenticator */
-               if (bcmp(ptr, aalg, alen) != 0) {
+               if (timingsafe_bcmp(ptr, aalg, alen) != 0) {
                        DPRINTF(("%s: authentication hash mismatch for "
                            "packet in SA %s/%08lx\n", __func__,
                            ipsec_address(&saidx->dst, buf, sizeof(buf)),