From b621fb503c76f3bdf06ed5ed1d3a995df8da9c50 Mon Sep 17 00:00:00 2001 From: Antonio Nino Diaz Date: Fri, 13 Jan 2017 13:53:32 +0000 Subject: [PATCH] tbbr: Use constant-time bcmp() to compare hashes To avoid timing side-channel attacks, it is needed to use a constant time memory comparison function when comparing hashes. The affected code only cheks for equality so it isn't needed to use any variant of memcmp(), bcmp() is enough. Also, timingsafe_bcmp() is as fast as memcmp() when the two compared regions are equal, so this change incurrs no performance hit in said case. In case they are unequal, the boot sequence wouldn't continue as normal, so performance is not an issue. Change-Id: I1c7c70ddfa4438e6031c8814411fef79fd3bb4df Signed-off-by: Antonio Nino Diaz --- drivers/auth/mbedtls/mbedtls_crypto.c | 2 +- drivers/auth/mbedtls/mbedtls_x509_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c index 1a96e8f8d..11d3ede45 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_crypto.c @@ -217,7 +217,7 @@ static int verify_hash(void *data_ptr, unsigned int data_len, } /* Compare values */ - rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info)); + rc = timingsafe_bcmp(data_hash, hash, mbedtls_md_get_size(md_info)); if (rc != 0) { return CRYPTO_ERR_HASH; } diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c index 73da9d1e7..f9485de3d 100644 --- a/drivers/auth/mbedtls/mbedtls_x509_parser.c +++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c @@ -392,7 +392,7 @@ static int cert_parse(void *img, unsigned int img_len) if (sig_alg1.len != sig_alg2.len) { return IMG_PARSER_ERR_FORMAT; } - if (0 != memcmp(sig_alg1.p, sig_alg2.p, sig_alg1.len)) { + if (0 != timingsafe_bcmp(sig_alg1.p, sig_alg2.p, sig_alg1.len)) { return IMG_PARSER_ERR_FORMAT; } memcpy(&sig_alg, &sig_alg1, sizeof(sig_alg));