current/SOURCES/0002-Use-timingsafe_memcmp-to-compare-MIT-MAGIC-COOKIES-C.patch

From 3f61c7a09b220805ee6778f4bf2f429e3df8e37a Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 28 Feb 2017 19:18:25 +0100
Subject: [PATCH 2/4] Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES
 CVE-2017-2624

Provide the function definition for systems that don't have it.

Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c)
---
 configure.ac            |  3 ++-
 include/dix-config.h.in |  3 +++
 include/os.h            |  5 +++++
 os/mitauth.c            |  2 +-
 os/timingsafe_memcmp.c  | 45 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 os/timingsafe_memcmp.c

diff --git a/configure.ac b/configure.ac
index 770c3e6..62cd547 100644
--- a/configure.ac
+++ b/configure.ac
@@ -221,7 +221,8 @@ AC_CHECK_FUNCS([backtrace ffs geteuid getuid issetugid getresuid \
        mmap posix_fallocate seteuid shmctl64 strncasecmp vasprintf vsnprintf \
        walkcontext setitimer poll epoll_create1])
 AC_CONFIG_LIBOBJ_DIR([os])
-AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup])
+AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup\
+       timingsafe_memcmp])
 AM_CONDITIONAL(POLL, [test "x$ac_cv_func_poll" = "xyes"])
 
 AC_CHECK_DECLS([program_invocation_short_name], [], [], [[#include <errno.h>]])
diff --git a/include/dix-config.h.in b/include/dix-config.h.in
index 4f020e5..4b86c1a 100644
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
@@ -238,6 +238,9 @@
 /* Define to 1 if you have the <sys/utsname.h> header file. */
 #undef HAVE_SYS_UTSNAME_H
 
+/* Define to 1 if you have the `timingsafe_memcmp' function. */
+#undef HAVE_TIMINGSAFE_MEMCMP
+
 /* Define to 1 if you have the <tslib.h> header file. */
 #undef HAVE_TSLIB_H
 
diff --git a/include/os.h b/include/os.h
index d2c41b4..aa231f5 100644
--- a/include/os.h
+++ b/include/os.h
@@ -590,6 +590,11 @@ extern _X_EXPORT char *
 strndup(const char *str, size_t n);
 #endif
 
+#ifndef HAVE_TIMINGSAFE_MEMCMP
+extern _X_EXPORT int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len);
+#endif
+
 /* Logging. */
 typedef enum _LogParameter {
     XLOG_FLUSH,
diff --git a/os/mitauth.c b/os/mitauth.c
index 768a52a..efae440 100644
--- a/os/mitauth.c
+++ b/os/mitauth.c
@@ -76,7 +76,7 @@ MitCheckCookie(unsigned short data_length,
 
     for (auth = mit_auth; auth; auth = auth->next) {
         if (data_length == auth->len &&
-            memcmp(data, auth->data, (int) data_length) == 0)
+            timingsafe_memcmp(data, auth->data, (int) data_length) == 0)
             return auth->id;
     }
     *reason = "Invalid MIT-MAGIC-COOKIE-1 key";
diff --git a/os/timingsafe_memcmp.c b/os/timingsafe_memcmp.c
new file mode 100644
index 0000000..36ab362
--- /dev/null
+++ b/os/timingsafe_memcmp.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2014 Google Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <limits.h>
+#include <string.h>
+
+int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len)
+{
+        const unsigned char *p1 = b1, *p2 = b2;
+        size_t i;
+        int res = 0, done = 0;
+
+        for (i = 0; i < len; i++) {
+                /* lt is -1 if p1[i] < p2[i]; else 0. */
+                int lt = (p1[i] - p2[i]) >> CHAR_BIT;
+
+                /* gt is -1 if p1[i] > p2[i]; else 0. */
+                int gt = (p2[i] - p1[i]) >> CHAR_BIT;
+
+                /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
+                int cmp = lt - gt;
+
+                /* set res = cmp if !done. */
+                res |= cmp & ~done;
+
+                /* set done if p1[i] != p2[i]. */
+                done |= lt | gt;
+        }
+
+        return (res);
+}
-- 
2.10.2

1	From 3f61c7a09b220805ee6778f4bf2f429e3df8e37a Mon Sep 17 00:00:00 2001
2	From: Matthieu Herrb <matthieu@herrb.eu>
3	Date: Tue, 28 Feb 2017 19:18:25 +0100
4	Subject: [PATCH 2/4] Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES
5	CVE-2017-2624
6
7	Provide the function definition for systems that don't have it.
8
9	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
10	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
11	(cherry picked from commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c)
12	---
13	configure.ac \| 3 ++-
14	include/dix-config.h.in \| 3 +++
15	include/os.h \| 5 +++++
16	os/mitauth.c \| 2 +-
17	os/timingsafe_memcmp.c \| 45 +++++++++++++++++++++++++++++++++++++++++++++
18	5 files changed, 56 insertions(+), 2 deletions(-)
19	create mode 100644 os/timingsafe_memcmp.c
20
21	diff --git a/configure.ac b/configure.ac
22	index 770c3e6..62cd547 100644
23	--- a/configure.ac
24	+++ b/configure.ac
25	@@ -221,7 +221,8 @@ AC_CHECK_FUNCS([backtrace ffs geteuid getuid issetugid getresuid \
26	mmap posix_fallocate seteuid shmctl64 strncasecmp vasprintf vsnprintf \
27	walkcontext setitimer poll epoll_create1])
28	AC_CONFIG_LIBOBJ_DIR([os])
29	-AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup])
30	+AC_REPLACE_FUNCS([reallocarray strcasecmp strcasestr strlcat strlcpy strndup\
31	+ timingsafe_memcmp])
32	AM_CONDITIONAL(POLL, [test "x$ac_cv_func_poll" = "xyes"])
33
34	AC_CHECK_DECLS([program_invocation_short_name], [], [], [[#include <errno.h>]])
35	diff --git a/include/dix-config.h.in b/include/dix-config.h.in
36	index 4f020e5..4b86c1a 100644
37	--- a/include/dix-config.h.in
38	+++ b/include/dix-config.h.in
39	@@ -238,6 +238,9 @@
40	/* Define to 1 if you have the <sys/utsname.h> header file. */
41	#undef HAVE_SYS_UTSNAME_H
42
43	+/* Define to 1 if you have the `timingsafe_memcmp' function. */
44	+#undef HAVE_TIMINGSAFE_MEMCMP
45	+
46	/* Define to 1 if you have the <tslib.h> header file. */
47	#undef HAVE_TSLIB_H
48
49	diff --git a/include/os.h b/include/os.h
50	index d2c41b4..aa231f5 100644
51	--- a/include/os.h
52	+++ b/include/os.h
53	@@ -590,6 +590,11 @@ extern _X_EXPORT char *
54	strndup(const char *str, size_t n);
55	#endif
56
57	+#ifndef HAVE_TIMINGSAFE_MEMCMP
58	+extern _X_EXPORT int
59	+timingsafe_memcmp(const void b1, const void b2, size_t len);
60	+#endif
61	+
62	/* Logging. */
63	typedef enum _LogParameter {
64	XLOG_FLUSH,
65	diff --git a/os/mitauth.c b/os/mitauth.c
66	index 768a52a..efae440 100644
67	--- a/os/mitauth.c
68	+++ b/os/mitauth.c
69	@@ -76,7 +76,7 @@ MitCheckCookie(unsigned short data_length,
70
71	for (auth = mit_auth; auth; auth = auth->next) {
72	if (data_length == auth->len &&
73	- memcmp(data, auth->data, (int) data_length) == 0)
74	+ timingsafe_memcmp(data, auth->data, (int) data_length) == 0)
75	return auth->id;
76	}
77	*reason = "Invalid MIT-MAGIC-COOKIE-1 key";
78	diff --git a/os/timingsafe_memcmp.c b/os/timingsafe_memcmp.c
79	new file mode 100644
80	index 0000000..36ab362
81	--- /dev/null
82	+++ b/os/timingsafe_memcmp.c
83	@@ -0,0 +1,45 @@
84	+/*
85	+ * Copyright (c) 2014 Google Inc.
86	+ *
87	+ * Permission to use, copy, modify, and distribute this software for any
88	+ * purpose with or without fee is hereby granted, provided that the above
89	+ * copyright notice and this permission notice appear in all copies.
90	+ *
91	+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
92	+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
93	+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
94	+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
95	+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
96	+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
97	+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
98	+ */
99	+
100	+#include <limits.h>
101	+#include <string.h>
102	+
103	+int
104	+timingsafe_memcmp(const void b1, const void b2, size_t len)
105	+{
106	+ const unsigned char p1 = b1, p2 = b2;
107	+ size_t i;
108	+ int res = 0, done = 0;
109	+
110	+ for (i = 0; i < len; i++) {
111	+ /* lt is -1 if p1[i] < p2[i]; else 0. */
112	+ int lt = (p1[i] - p2[i]) >> CHAR_BIT;
113	+
114	+ /* gt is -1 if p1[i] > p2[i]; else 0. */
115	+ int gt = (p2[i] - p1[i]) >> CHAR_BIT;
116	+
117	+ /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
118	+ int cmp = lt - gt;
119	+
120	+ /* set res = cmp if !done. */
121	+ res \|= cmp & ~done;
122	+
123	+ /* set done if p1[i] != p2[i]. */
124	+ done \|= lt \| gt;
125	+ }
126	+
127	+ return (res);
128	+}
129	--
130	2.10.2
131