[RFC PATCH 0/5] Security-relevant fixes, transform agility

[Ian Jackson]

This is a preview of a work-in-progress series I have in development
to fix some security problems in secnet.

The biggest problem is that we are using CBC-MAC, which is known to be
broken.  I plan to fix this by replace our CBC+CBC-MAC transform with
EAX.

Unfortunately we are lacking algorithm agility.  Looking at the NOTES
and the code, it is difficult to retrofit this because we're lacking
an officially approved space for future expansion covered by the
signatures.

However, bug to the rescue!  It turns out that the string comparison
used for checking site names is broken in a way that we can exploit.
We therefore perpetrate an awful bodge, and enshrine and document it.

Ideally we would like also to abandon PKCS#1 in favour of OAEP.  But I
think this is less urgent and wants to be combined with a general
public key (and public algorithm) rollover mechanism, which we are
currently lacking.

So far in this series, we make a start on using a constant-time memcmp
and providing a capability field for future expansion:
 1/5 memcmp: Introduce and use consttime_memcmp
 2/5 transform: Do not look at any bytes of PKCS#5 padding other than the last
 3/5 NOTES: Remove unimplemented protocol negotiation
 4/5 site: fix site name checking leaving room for expansion
 5/5 site: interpret first two bytes of extrainfo as capabilities
NB that this series is an RFC.  It compiles but HAS NOT BEEN EXECUTED.