Skip to content

Commit 572e7d5

Browse files
danielinuxdanielinux
committed
Added constant-time comparison against stored digest
1 parent 314f0a5 commit 572e7d5

1 file changed

Lines changed: 14 additions & 1 deletion

File tree

src/image.c

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,19 @@
5858
/* Globals */
5959
static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE] XALIGNED(4);
6060

61+
static int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
62+
uint32_t len)
63+
{
64+
uint8_t diff = 0;
65+
uint32_t i;
66+
67+
for (i = 0; i < len; i++) {
68+
diff |= expected[i] ^ actual[i];
69+
}
70+
71+
return diff == 0;
72+
}
73+
6174
#if defined(WOLFBOOT_CERT_CHAIN_VERIFY) && \
6275
(defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \
6376
defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER))
@@ -1527,7 +1540,7 @@ int wolfBoot_verify_integrity(struct wolfBoot_image *img)
15271540
return -1;
15281541
if (image_hash(img, digest) != 0)
15291542
return -1;
1530-
if (memcmp(digest, stored_sha, stored_sha_len) != 0)
1543+
if (!image_CT_compare(digest, stored_sha, stored_sha_len))
15311544
return -1;
15321545
img->sha_ok = 1;
15331546
img->sha_hash = stored_sha;

0 commit comments

Comments
 (0)