[RFC PATCH 0/5] Security-relevant fixes, transform agility

Ian Jackson ijackson at chiark.greenend.org.uk
Wed Jul 17 14:02:54 BST 2013

This is a preview of a work-in-progress series I have in development
to fix some security problems in secnet.

The biggest problem is that we are using CBC-MAC, which is known to be
broken.  I plan to fix this by replace our CBC+CBC-MAC transform with

Unfortunately we are lacking algorithm agility.  Looking at the NOTES
and the code, it is difficult to retrofit this because we're lacking
an officially approved space for future expansion covered by the

However, bug to the rescue!  It turns out that the string comparison
used for checking site names is broken in a way that we can exploit.
We therefore perpetrate an awful bodge, and enshrine and document it.

Ideally we would like also to abandon PKCS#1 in favour of OAEP.  But I
think this is less urgent and wants to be combined with a general
public key (and public algorithm) rollover mechanism, which we are
currently lacking.

So far in this series, we make a start on using a constant-time memcmp
and providing a capability field for future expansion:
 1/5 memcmp: Introduce and use consttime_memcmp
 2/5 transform: Do not look at any bytes of PKCS#5 padding other than the last
 3/5 NOTES: Remove unimplemented protocol negotiation
 4/5 site: fix site name checking leaving room for expansion
 5/5 site: interpret first two bytes of extrainfo as capabilities
NB that this series is an RFC.  It compiles but HAS NOT BEEN EXECUTED.

More information about the sgo-software-discuss mailing list