From 04ed79b8ad88991517755598c5e8872380ec3dde Mon Sep 17 00:00:00 2001
Message-Id: <04ed79b8ad88991517755598c5e8872380ec3dde.1714094845.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Mon, 27 May 2013 22:59:19 +0100
Subject: [PATCH] server: Compare MAC tags in constant time.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

This fixes a timing attack.  If an adversary can watch the timestamp on
the server's log, then it might be possible to determine how much of a
forged packet's MAC is invalid, and thereby figure out one byte at a
time.

This requires the new constant-time comparison function in Catacomb, so
update the dependencies.

This is release 1.0.0pre13.
---
 configure.ac     | 2 +-
 debian/changelog | 7 +++++++
 debian/control   | 2 +-
 server/chal.c    | 2 +-
 server/keyset.c  | 2 +-
 server/tripe.h   | 1 +
 6 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index ad39a1f4..a394bb59 100644
--- a/configure.ac
+++ b/configure.ac
@@ -64,7 +64,7 @@ case "$host_os" in
 esac
 
 PKG_CHECK_MODULES([mLib], [mLib >= 2.1.0])
-PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.1])
+PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.4])
 
 AM_CFLAGS="$AM_CFLAGS $mLib_CFLAGS $catacomb_CFLAGS"
 
diff --git a/debian/changelog b/debian/changelog
index 0183dc0a..367ec339 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+tripe (1.0.0pre13) experimental; urgency=low
+
+  * Compare MAC tags in constant time.  (Fixes a timing attack performed
+    by an adversary who can watch the timestamp on the server log.)
+
+ -- Mark Wooding <mdw@distorted.org.uk>  Mon, 27 May 2013 22:58:31 +0100
+
 tripe (1.0.0pre12.2) experimental; urgency=low
 
   * New `tripe-keys' command: `check' reports on keys which will expire
diff --git a/debian/control b/debian/control
index 2c4d2581..d42e5901 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: extra
 Maintainer: Mark Wooding <mdw@distorted.org.uk>
 XS-Python-Version: >= 2.4
-Build-Depends: catacomb-dev (>= 2.1.1), mlib-dev (>= 2.0.4),
+Build-Depends: catacomb-dev (>= 2.1.4), mlib-dev (>= 2.0.4),
  tshark, wireshark-dev (>= 0.10.10), debhelper (>= 4.0.2),
  python-central
 Standards-Version: 3.1.1
diff --git a/server/chal.c b/server/chal.c
index 12b64e21..e282f085 100644
--- a/server/chal.c
+++ b/server/chal.c
@@ -117,7 +117,7 @@ int c_check(buf *b)
   }
   h = GM_INIT(mac);
   GH_HASH(h, p, 4);
-  ok = (memcmp(GH_DONE(h, 0), p + 4, master->algs.tagsz) == 0);
+  ok = ct_memeq(GH_DONE(h, 0), p + 4, master->algs.tagsz);
   GH_DESTROY(h);
   if (!ok) {
     a_warn("CHAL", "incorrect-tag", A_END);
diff --git a/server/keyset.c b/server/keyset.c
index c54febdc..66a59618 100644
--- a/server/keyset.c
+++ b/server/keyset.c
@@ -201,7 +201,7 @@ static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
     GH_HASH(h, t, sizeof(t));
     GH_HASH(h, pseq, SEQSZ + ivsz + sz);
     mac = GH_DONE(h, 0);
-    eq = !memcmp(mac, pmac, tagsz);
+    eq = ct_memeq(mac, pmac, tagsz);
     IF_TRACING(T_KEYSET, {
       trace_block(T_CRYPTO, "crypto: computed MAC", mac, tagsz);
     })
diff --git a/server/tripe.h b/server/tripe.h
index 72a47a10..da073244 100644
--- a/server/tripe.h
+++ b/server/tripe.h
@@ -89,6 +89,7 @@
 #include <mLib/versioncmp.h>
 
 #include <catacomb/buf.h>
+#include <catacomb/ct.h>
 
 #include <catacomb/gcipher.h>
 #include <catacomb/gmac.h>
-- 
[mdw]