commit 4b19730c8234de3587bd50256fcb11660fb07388 Author: Nick Mathewson nickm@torproject.org Date: Mon May 9 18:39:23 2011 -0400
Add a data-independent variant of memcmp and a d-i memeq function.
The tor_memcmp code is by Robert Ransom, and the tor_memeq code is by me. Both incorporate some ideas from DJB's stuff. --- changes/bug3122_memcmp | 7 +++ configure.in | 18 +++++++ src/common/Makefile.am | 4 +- src/common/di_ops.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++ src/common/di_ops.h | 28 ++++++++++ src/or/test.c | 55 ++++++++++++++++++++ 6 files changed, 243 insertions(+), 2 deletions(-)
diff --git a/changes/bug3122_memcmp b/changes/bug3122_memcmp new file mode 100644 index 0000000..a049476 --- /dev/null +++ b/changes/bug3122_memcmp @@ -0,0 +1,7 @@ + o Security fixes + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) diff --git a/configure.in b/configure.in index 1fddaca..eead014 100644 --- a/configure.in +++ b/configure.in @@ -626,6 +626,24 @@ if test "$tor_cv_twos_complement" != no ; then [Define to 1 iff we represent negative integers with two's complement]) fi
+# What does shifting a negative value do? +AC_CACHE_CHECK([whether right-shift on negative values does sign-extension], tor_cv_sign_extend, +[AC_RUN_IFELSE([AC_LANG_SOURCE( +[[int main () { int okay = (-60 >> 8) == -1; return okay ? 0 : 1; }]])], + [tor_cv_sign_extend=yes], + [tor_cv_sign_extend=no], + [tor_cv_sign_extend=cross])]) + +if test "$tor_cv_sign_extend" = cross ; then + # Cross-compiling; let's hope that the target isn't raving mad. + AC_MSG_NOTICE([Cross-compiling: we'll assume that right-shifting negative integers causes sign-extension]) +fi + +if test "$tor_cv_sign_extend" != no ; then + AC_DEFINE([RSHIFT_DOES_SIGN_EXTEND], 1, + [Define to 1 iff right-shifting a negative value performs sign-extension]) +fi + # Whether we should use the dmalloc memory allocation debugging library. AC_MSG_CHECKING(whether to use dmalloc (debug memory allocation library)) AC_ARG_WITH(dmalloc, diff --git a/src/common/Makefile.am b/src/common/Makefile.am index 105c413..db94a98 100644 --- a/src/common/Makefile.am +++ b/src/common/Makefile.am @@ -10,7 +10,7 @@ libor_extra_source= endif
libor_a_SOURCES = address.c log.c util.c compat.c container.c mempool.c \ - memarea.c $(libor_extra_source) + memarea.c di_ops.c $(libor_extra_source) libor_crypto_a_SOURCES = crypto.c aes.c tortls.c torgzip.c
-noinst_HEADERS = address.h log.h crypto.h test.h util.h compat.h aes.h torint.h tortls.h strlcpy.c strlcat.c torgzip.h container.h ht.h mempool.h memarea.h ciphers.inc +noinst_HEADERS = address.h log.h crypto.h test.h util.h compat.h aes.h torint.h tortls.h strlcpy.c strlcat.c torgzip.h container.h ht.h mempool.h memarea.h di_ops.h ciphers.inc diff --git a/src/common/di_ops.c b/src/common/di_ops.c new file mode 100644 index 0000000..c1e292f --- /dev/null +++ b/src/common/di_ops.c @@ -0,0 +1,133 @@ +/* Copyright (c) 2011, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file di_ops.c + * \brief Functions for data-independent operations + **/ + +#include "orconfig.h" +#include "di_ops.h" + +/** + * Timing-safe version of memcmp. As memcmp, compare the <b>sz</b> bytes + * at <b>a</b> with the <b>sz</b> bytes at <b>, and returns less than 0 if the + * bytes at <b>a</b> lexically precede those at <b>b</b>, 0 if the byte ranges + * are equal, and greater than zero if the bytes at <b>a</b> lexically follow + * those at <b>. + * + * This implementation differs from memcmp in that its timing behavior is not + * data-dependent: it should return in the same amount of time regardless of + * the contents of <b>a</b> and <b>b</b>. + */ +int +tor_memcmp(const void *a, const void *b, size_t len) +{ + const uint8_t *x = a; + const uint8_t *y = b; + size_t i = len; + int retval = 0; + + /* This loop goes from the end of the arrays to the start. At the + * start of every iteration, before we decrement i, we have set + * "retval" equal to the result of memcmp(a+i,b+i,len-i). During the + * loop, we update retval by leaving it unchanged if x[i]==y[i] and + * setting it to x[i]-y[i] if x[i]!= y[i]. + * + * The following assumes we are on a system with two's-complement + * arithmetic. We check for this at configure-time with the check + * that sets USING_TWOS_COMPLEMENT. If we aren't two's complement, then + * torint.h will stop compilation with an error. + */ + while (i--) { + int v1 = x[i]; + int v2 = y[i]; + int equal_p = v1 ^ v2; + + /* The following sets bits 8 and above of equal_p to 'equal_p == + * 0', and thus to v1 == v2. (To see this, note that if v1 == + * v2, then v1^v2 == equal_p == 0, so equal_p-1 == -1, which is the + * same as ~0 on a two's-complement machine. Then note that if + * v1 != v2, then 0 < v1 ^ v2 < 256, so 0 <= equal_p - 1 < 255.) + */ + --equal_p; + + equal_p >>= 8; + /* Thanks to (sign-preserving) arithmetic shift, equal_p is now + * equal to -(v1 == v2), which is exactly what we need below. + * (Since we're assuming two's-complement arithmetic, -1 is the + * same as ~0 (all bits set).) + * + * (The result of an arithmetic shift on a negative value is + * actually implementation-defined in standard C. So how do we + * get away with assuming it? Easy. We check.) */ +#if ((-60 >> 8) != -1) +#error "According to cpp, right-shift doesn't perform sign-extension." +#endif +#ifndef RSHIFT_DOES_SIGN_EXTEND +#error "According to configure, right-shift doesn't perform sign-extension." +#endif + + /* If v1 == v2, equal_p is ~0, so this will leave retval + * unchanged; otherwise, equal_p is 0, so this will zero it. */ + retval &= equal_p; + + /* If v1 == v2, then this adds 0, and leaves retval unchanged. + * Otherwise, we just zeroed retval, so this sets it to v1 - v2. */ + retval += (v1 - v2); + + /* There. Now retval is equal to its previous value if v1 == v2, and + * equal to v1 - v2 if v1 != v2. */ + } + + return retval; +} + +/** + * Timing-safe memory comparison. Return true if the <b>sz</b> bytes at + * <b>a</b> are the same as the <b>sz</b> bytes at <b>, and 0 otherwise. + * + * This implementation differs from !memcmp(a,b,sz) in that its timing + * behavior is not data-dependent: it should return in the same amount of time + * regardless of the contents of <b>a</b> and <b>b</b>. It differs from + * !tor_memcmp(a,b,sz) by being faster. + */ +int +tor_memeq(const void *a, const void *b, size_t sz) +{ + /* Treat a and b as byte ranges. */ + const uint8_t *ba = a, *bb = b; + uint32_t any_difference = 0; + while (sz--) { + /* Set byte_diff to all of those bits that are different in *ba and *bb, + * and advance both ba and bb. */ + const uint8_t byte_diff = *ba++ ^ *bb++; + + /* Set bits in any_difference if they are set in byte_diff. */ + any_difference |= byte_diff; + } + + /* Now any_difference is 0 if there are no bits different between + * a and b, and is nonzero if there are bits different between a + * and b. Now for paranoia's sake, let's convert it to 0 or 1. + * + * (If we say "!any_difference", the compiler might get smart enough + * to optimize-out our data-independence stuff above.) + * + * To unpack: + * + * If any_difference == 0: + * any_difference - 1 == ~0 + * (any_difference - 1) >> 8 == 0x00ffffff + * 1 & ((any_difference - 1) >> 8) == 1 + * + * If any_difference != 0: + * 0 < any_difference < 256, so + * 0 < any_difference - 1 < 255 + * (any_difference - 1) >> 8 == 0 + * 1 & ((any_difference - 1) >> 8) == 0 + */ + + return 1 & ((any_difference - 1) >> 8); +} + diff --git a/src/common/di_ops.h b/src/common/di_ops.h new file mode 100644 index 0000000..1b223d9 --- /dev/null +++ b/src/common/di_ops.h @@ -0,0 +1,28 @@ +/* Copyright (c) 2003-2004, Roger Dingledine + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2011, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file di_ops.h + * \brief Headers for di_ops.c + **/ + +#ifndef TOR_DI_OPS_H +#define TOR_DI_OPS_H + +#include "orconfig.h" +#include "torint.h" + +int tor_memcmp(const void *a, const void *b, size_t sz); +int tor_memeq(const void *a, const void *b, size_t sz); +#define tor_memneq(a,b,sz) (!tor_memeq((a),(b),(sz))) + +/** Alias for the platform's memcmp() function. This function is + * <em>not</em> data-independent: we define this alias so that we can + * mark cases where we are deliberately using a data-dependent memcmp() + * implementation. + */ +#define fast_memcmp(a,b,c) (memcmp((a),(b),(c))) + +#endif diff --git a/src/or/test.c b/src/or/test.c index b08f202..dc71db4 100644 --- a/src/or/test.c +++ b/src/or/test.c @@ -43,6 +43,7 @@ const char tor_svn_revision[] = ""; #include "torgzip.h" #include "mempool.h" #include "memarea.h" +#include "di_ops.h"
#ifdef USE_DMALLOC #include <dmalloc.h> @@ -1331,6 +1332,59 @@ test_util(void) ; }
+static void +test_util_di_ops(void) +{ +#define LT -1 +#define GT 1 +#define EQ 0 + const struct { + const char *a; int want_sign; const char *b; + } examples[] = { + { "Foo", EQ, "Foo" }, + { "foo", GT, "bar", }, + { "foobar", EQ ,"foobar" }, + { "foobar", LT, "foobaw" }, + { "foobar", GT, "f00bar" }, + { "foobar", GT, "boobar" }, + { "", EQ, "" }, + { NULL, 0, NULL }, + }; + + int i; + + for (i = 0; examples[i].a; ++i) { + size_t len = strlen(examples[i].a); + int eq1, eq2, neq1, neq2, cmp1, cmp2; + test_eq(len, strlen(examples[i].b)); + /* We do all of the operations, with operands in both orders. */ + eq1 = tor_memeq(examples[i].a, examples[i].b, len); + eq2 = tor_memeq(examples[i].b, examples[i].a, len); + neq1 = tor_memneq(examples[i].a, examples[i].b, len); + neq2 = tor_memneq(examples[i].b, examples[i].a, len); + cmp1 = tor_memcmp(examples[i].a, examples[i].b, len); + cmp2 = tor_memcmp(examples[i].b, examples[i].a, len); + + /* Check for correctness of cmp1 */ + if (cmp1 < 0 && examples[i].want_sign != LT) + test_fail(); + else if (cmp1 > 0 && examples[i].want_sign != GT) + test_fail(); + else if (cmp1 == 0 && examples[i].want_sign != EQ) + test_fail(); + + /* Check for consistency of everything else with cmp1 */ + test_eq(eq1, eq2); + test_eq(neq1, neq2); + test_eq(cmp1, -cmp2); + test_eq(eq1, cmp1 == 0); + test_eq(neq1, !eq1); + } + + done: + ; +} + /** Helper: assert that IPv6 addresses <b>a</b> and <b>b</b> are the same. On * failure, reports an error, describing the addresses as <b>e1</b> and * <b>e2</b>, and reporting the line number as <b>line</b>. */ @@ -4753,6 +4807,7 @@ static struct { SUBENT(crypto, aes_iv), SUBENT(crypto, base32_decode), ENT(util), + SUBENT(util, di_ops), SUBENT(util, ip6_helpers), SUBENT(util, gzip), SUBENT(util, datadir),