Commit 3172d79b authored by Ian Goldberg's avatar Ian Goldberg

Use a constant-time memory comparison for safety.

Thanks to jvoisin <julien.voisin@dustri.org> for the suggestion.
parent 262d0522
2014-02-15
* src/proto.c:
* src/auth.c:
* src/mem.c:
* src/mem.h: Use a constant-time memory comparison for safety.
Thanks to jvoisin <julien.voisin@dustri.org> for the suggestion.
2013-10-13
* src/proto.c: Return 0 instead of crashing from
......
......@@ -30,6 +30,7 @@
#include "serial.h"
#include "proto.h"
#include "context.h"
#include "mem.h"
#if OTRL_DEBUGGING
#include <stdio.h>
......@@ -976,7 +977,9 @@ gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth,
/* Check the hash */
gcry_md_hash_buffer(GCRY_MD_SHA256, hashbuf, gxbuf,
auth->encgx_len);
if (memcmp(hashbuf, auth->hashgx, 32)) goto decfail;
/* This isn't comparing secret data, but may as well use the
* constant-time version. */
if (otrl_mem_differ(hashbuf, auth->hashgx, 32)) goto decfail;
/* Extract g^x */
bufp = gxbuf;
......@@ -1005,7 +1008,7 @@ gcry_error_t otrl_auth_handle_revealsig(OtrlAuthInfo *auth,
gcry_md_reset(auth->mac_m2);
gcry_md_write(auth->mac_m2, authstart, authend - authstart);
if (memcmp(macstart,
if (otrl_mem_differ(macstart,
gcry_md_read(auth->mac_m2, GCRY_MD_SHA256),
20)) goto invval;
......@@ -1121,7 +1124,7 @@ gcry_error_t otrl_auth_handle_signature(OtrlAuthInfo *auth,
/* Check the MAC */
gcry_md_reset(auth->mac_m2p);
gcry_md_write(auth->mac_m2p, authstart, authend - authstart);
if (memcmp(macstart,
if (otrl_mem_differ(macstart,
gcry_md_read(auth->mac_m2p, GCRY_MD_SHA256),
20)) goto invval;
......
......@@ -162,3 +162,19 @@ void otrl_mem_init(void)
otrl_mem_free
);
}
/* Compare two memory blocks in time dependent on the length of the
* blocks, but not their contents. Returns 1 if they differ, 0 if they
* are the same. */
int otrl_mem_differ(const unsigned char *buf1, const unsigned char *buf2,
size_t len)
{
unsigned char diff = 0;
while (len) {
diff |= ((*buf1) ^ (*buf2));
++buf1;
++buf2;
--len;
}
return (diff != 0);
}
......@@ -21,6 +21,14 @@
#ifndef __MEM_H__
#define __MEM_H__
#include <stdlib.h>
void otrl_mem_init(void);
/* Compare two memory blocks in time dependent on the length of the
* blocks, but not their contents. Returns 1 if they differ, 0 if they
* are the same. */
int otrl_mem_differ(const unsigned char *buf1, const unsigned char *buf2,
size_t len);
#endif
......@@ -826,7 +826,8 @@ gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
gcry_md_reset(sess->rcvmac);
gcry_md_write(sess->rcvmac, macstart, macend-macstart);
if (memcmp(givenmac, gcry_md_read(sess->rcvmac, GCRY_MD_SHA1), 20)) {
if (otrl_mem_differ(givenmac, gcry_md_read(sess->rcvmac, GCRY_MD_SHA1),
20)) {
/* The MACs didn't match! */
goto conflict;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment