[tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat May 7 00:49:36 UTC 2011 

#3122: Write and use constant-time comparison functions
-------------------------+--------------------------------------------------
 Reporter:  rransom      |          Owner:  ioerror
     Type:  enhancement  |         Status:  new    
 Priority:  major        |      Milestone:         
Component:  Tor Client   |        Version:         
 Keywords:               |         Parent:         
   Points:               |   Actualpoints:         
-------------------------+--------------------------------------------------

Comment(by nickm):

 I agree with using data-independent memcmp (that is to say, dependent on
 the length parameter but not on the data) everywhere that it's not
 specifically shown to be safe.  Personally, I'd suggest that we just
 outright switch *all* of the memcmps that we do to use a data-independent
 version, and have a fast_memcmp() that we use for cases where the length
 may be larger and we know that the operation is safe.  It seems safer to
 audit for safe and critical cases than it does to try to audit for the
 risky ones.

 But I'm not clear what a "constant-time" strcmp operation even means.  It
 could be dependent on the length of the shorter string, or on the length
 of the longer string, or on the first or the second, but I'm not sure how
 you're supposed to implement true "data-independent" strcmp.  This will
 want closer code auditing.

 FWIW, the particular example above is safe.  Even if the attacker somehow
 learned not only one byte but rather *every* byte in key_material by
 sending a bad handshake reply, the information would be useless: a bad
 reply means that the client closes the circuit immediately.  The next
 circuit the client tries to build will have a different g^x value for its
 diffie hellman handshake, and the key_material that the client would have
 accepted last time will not be the key_material that it expects in any
 subsequent circuit extend handshake.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3122#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list