Skip to content

Use memcmp_constant_time for SHA-256 hash comparisons #1004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kodareef5 wants to merge 1 commit into from
+7 −4
Closed

Use memcmp_constant_time for SHA-256 hash comparisons #1004

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/openvpn/init.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
#endif

#include "win32.h"
#include "crypto.h"
#include "init.h"
#include "run_command.h"
#include "sig.h"
Expand Down Expand Up @@ -2164,8 +2165,8 @@ static bool
options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
{
const struct sha256_digest zero = { { 0 } };
return memcmp(a, b, sizeof(struct sha256_digest))
|| !memcmp(a, &zero, sizeof(struct sha256_digest));
return memcmp_constant_time(a, b, sizeof(struct sha256_digest))
|| !memcmp_constant_time(a, &zero, sizeof(struct sha256_digest));
Copy link
Copy Markdown
Contributor

@schwabe schwabe Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a check if we can keep tun device open or not. The hash is really used to avoid storing all the old options to compare them.

I do not see a reason to make this a constant time check other than blindly applying "hashes must be compared with constant time"

}

/**
Expand Down
3 changes: 2 additions & 1 deletion src/openvpn/ssl_mbedtls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@

#if defined(ENABLE_CRYPTO_MBEDTLS)

#include "crypto.h"
#include "errlevel.h"
#include "ssl_backend.h"
#include "base64.h"
Expand Down Expand Up @@ -1035,7 +1036,7 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx)
msg(M_WARN, "WARNING: failed to personalise random");
}

if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
if (0 != memcmp_constant_time(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
Copy link
Copy Markdown
Contributor

@schwabe schwabe Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also feels like applying "hashes must be compared with constant time" rather than any actual security scenario.
Also the newer mbed TLS versions do not use this anymore.

{
if (!mbed_ok(mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32)))
{
Expand Down
3 changes: 2 additions & 1 deletion src/openvpn/ssl_verify.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
#include "manage.h"
#include "otime.h"
#include "run_command.h"
#include "crypto.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"

Expand Down Expand Up @@ -241,7 +242,7 @@ cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *
continue;
}
else if (ch1 && ch2
&& !memcmp(ch1->sha256_hash, ch2->sha256_hash, sizeof(ch1->sha256_hash)))
&& !memcmp_constant_time(ch1->sha256_hash, ch2->sha256_hash, sizeof(ch1->sha256_hash)))
Copy link
Copy Markdown
Contributor

@schwabe schwabe Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only one that could maybe be constant time. But then again to have any chance of exploiting this one requires you to be able to generate arbitary certificates that are trusted by CA that is in use by OpenVPN to verify the client certificates.
If that happens you have bigger things to worry about.

{
continue;
}
Expand Down
Loading