server: Compare MAC tags in constant time.

This fixes a timing attack.  If an adversary can watch the timestamp on
the server's log, then it might be possible to determine how much of a
forged packet's MAC is invalid, and thereby figure out one byte at a
time.

This requires the new constant-time comparison function in Catacomb, so
update the dependencies.

This is release 1.0.0pre13.

diff --git a/configure.ac b/configure.ac
index ad39a1f40bda9d543a20058b71de00f78765457a..a394bb591a2a5e29a9ce22373513e05e53233bb7 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -64,7 +64,7 @@ case "$host_os" in
 esac
 
 PKG_CHECK_MODULES([mLib], [mLib >= 2.1.0])
-PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.1])
+PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.4])
 
 AM_CFLAGS="$AM_CFLAGS $mLib_CFLAGS $catacomb_CFLAGS"
 

diff --git a/debian/changelog b/debian/changelog
index 0183dc0ad9cbcd2820580c98547c0311865e8e61..367ec339f5633437d16f8198c0e3910dd538c8eb 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+tripe (1.0.0pre13) experimental; urgency=low
+
+  * Compare MAC tags in constant time.  (Fixes a timing attack performed
+    by an adversary who can watch the timestamp on the server log.)
+
+ -- Mark Wooding <mdw@distorted.org.uk>  Mon, 27 May 2013 22:58:31 +0100
+
 tripe (1.0.0pre12.2) experimental; urgency=low
 
   * New `tripe-keys' command: `check' reports on keys which will expire

diff --git a/debian/control b/debian/control
index 2c4d258101ce5cd3c6a9205278198795d39552dd..d42e5901aa12baea4059bef45c1787535252450c 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: extra
 Maintainer: Mark Wooding <mdw@distorted.org.uk>
 XS-Python-Version: >= 2.4
-Build-Depends: catacomb-dev (>= 2.1.1), mlib-dev (>= 2.0.4),
+Build-Depends: catacomb-dev (>= 2.1.4), mlib-dev (>= 2.0.4),
  tshark, wireshark-dev (>= 0.10.10), debhelper (>= 4.0.2),
  python-central
 Standards-Version: 3.1.1

diff --git a/server/chal.c b/server/chal.c
index 12b64e21ab4a7676c8a6182c794be8560ebdc864..e282f08548967e5cd8d4cd7722948a0cb5e4c01f 100644 (file)
--- a/server/chal.c
+++ b/server/chal.c
@@ -117,7 +117,7 @@ int c_check(buf *b)
   }
   h = GM_INIT(mac);
   GH_HASH(h, p, 4);
-  ok = (memcmp(GH_DONE(h, 0), p + 4, master->algs.tagsz) == 0);
+  ok = ct_memeq(GH_DONE(h, 0), p + 4, master->algs.tagsz);
   GH_DESTROY(h);
   if (!ok) {
     a_warn("CHAL", "incorrect-tag", A_END);

diff --git a/server/keyset.c b/server/keyset.c
index c54febdc73bde4a38c4d1051d3df2547b346a1a5..66a59618492e2b9ed71b12c820901f7a1ccb0b0e 100644 (file)
--- a/server/keyset.c
+++ b/server/keyset.c
@@ -201,7 +201,7 @@ static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
     GH_HASH(h, t, sizeof(t));
     GH_HASH(h, pseq, SEQSZ + ivsz + sz);
     mac = GH_DONE(h, 0);
-    eq = !memcmp(mac, pmac, tagsz);
+    eq = ct_memeq(mac, pmac, tagsz);
     IF_TRACING(T_KEYSET, {
       trace_block(T_CRYPTO, "crypto: computed MAC", mac, tagsz);
     })

diff --git a/server/tripe.h b/server/tripe.h
index 72a47a108b45739de63e1d7d1eb8f600b6edc909..da0732446cf518592582cad676b1f62181879247 100644 (file)
--- a/server/tripe.h
+++ b/server/tripe.h
@@ -89,6 +89,7 @@
 #include <mLib/versioncmp.h>
 
 #include <catacomb/buf.h>
+#include <catacomb/ct.h>
 
 #include <catacomb/gcipher.h>
 #include <catacomb/gmac.h>