commit 0efac53cdc9554eb532bc1b3644d940f6b4fb3ee
author Teppo Järvelin <teppo.jarvelin@arm.com> Fri Oct 04 13:21:08 2019 +0300
committer Teppo Järvelin <teppo.jarvelin@arm.com> Fri Oct 04 13:21:08 2019 +0300
tree bed960702cd419bfe355459689443ebb0b5aca33
parent 707ceb88f042570e655e906218b3dd1d944ed333

Review fixes: fixed comments to be more accurate and changed one memcmp to safer version

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ed14cb3..1474752 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2883,7 +2883,7 @@
      * Match record's CID with incoming CID.
      */
     if( rec->cid_len != transform->in_cid_len ||
-        memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) // use regular memcmp as CID is not that critical
+        memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) // use regular memcmp as CID is public
     {
         return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
     }
@@ -6013,7 +6013,7 @@
             else
             {
                 /* Make sure msg_type and length are consistent */
-                if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 ) // use regular memcmp as msg type is not that critical
+                if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 ) // use regular memcmp as msg type is public
                 {
                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
                     /* Ignore */
@@ -7086,7 +7086,7 @@
     if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
         ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
         ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
-        memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) // use regular memcmp as this compare is not that critical
+        memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) // use regular memcmp as comparing public data
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
         return( 0 );
@@ -9961,7 +9961,7 @@
         if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
-        // use regular memcmp as session header is not that critical
+        // use regular memcmp as session header is public data
         if( memcmp( p, ssl_serialized_session_header,
                     sizeof( ssl_serialized_session_header ) ) != 0 )
         {
@@ -10404,7 +10404,7 @@
         return( 0 );
     }
 
-    // use regular memcmp as counters are not that critical
+    // use regular memcmp as counters are public data
     in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
                         ssl->conf->renego_period + ep_len, 8 - ep_len );
     out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,

library/x509.c

diff --git a/library/x509.c b/library/x509.c
index a796760..1e61db8 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -588,9 +588,8 @@
         if( ret != 0 )
             goto exit;
 
-        // use regular memcmp as oid is not that critical
         if( oid[0].len != oid[1].len ||
-            memcmp( oid[0].p, oid[1].p, oid[1].len ) != 0 )
+            mbedtls_platform_memcmp( oid[0].p, oid[1].p, oid[1].len ) != 0 )
         {
             return( 1 );
         }