diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-16 08:16:45 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 12:10:19 -0500 |
commit | 7cb0430572e4dc864b7b0cd7876d037a0757cbdb (patch) | |
tree | b6ff1bfa85a4b16b7d63e34a6c5ab287e1b6027c /sys/netipsec/xform_ah.c | |
parent | 87917f89b81d1289daae2e25ff274fa49de2e533 (diff) | |
download | FreeBSD-src-7cb0430572e4dc864b7b0cd7876d037a0757cbdb.zip FreeBSD-src-7cb0430572e4dc864b7b0cd7876d037a0757cbdb.tar.gz |
MFC r286101:
these are comparing authenticators and need to be constant time...
This could be a side channel attack... Now that we have a function
for this, use it...
jmgurney/ipsecgcm: 24d704cc and 7f37a14
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec/xform_ah.c')
-rw-r--r-- | sys/netipsec/xform_ah.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index d45889a..6829d59 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -775,7 +775,7 @@ ah_input_cb(struct cryptop *crp) /* Verify authenticator. */ ptr = (caddr_t) (tc + 1); - if (bcmp(ptr + skip + rplen, calc, authsize)) { + if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) { DPRINTF(("%s: authentication hash mismatch for packet " "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), |