[libfko] HMAC comparison timing bug fix

Ryman reported a timing attack bug in the HMAC comparison operation (#85) and suggested a fix derived from YaSSL: http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
2013-06-01 09:09:17 -04:00 · 2013-06-01 09:09:17 -04:00 · 6706c53902
commit 6706c53902
parent 0f0f73636f
2 changed files with 32 additions and 1 deletions
--- a/5
+++ b/5
@ -128,3 +128,8 @@ Shawn Wilson
 Dan Lauber
    - Suggested a check for fwknopd to ensure that the jump rule on systems
      running iptables is not duplicated if it already exists.
+
+Ryman
+    - Reported a timing attack bug in the HMAC comparison operation (#85) and
+      suggested a fix derived from YaSSL:
+      http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg320402.html
--- a/lib/fko_hmac.c
+++ b/lib/fko_hmac.c
@ -34,6 +34,32 @@
 #include "hmac.h"
 #include "base64.h"

+/* Compare all bytes with constant run time regardless of
+ * input characteristics (i.e. don't return early if a difference
+ * is found before comparing all bytes).  This code was adapted
+ * from YaSSL which is GPLv2 after a timing bug was reported by
+ * Ryman through github (#85)
+*/
+static int
+constant_runtime_compare(const char *a, const char *b, int len)
+{
+    int good = 0;
+    int bad  = 0;
+    int i;
+
+    for(i=0; i < len; i++) {
+        if (a[i] == b[i])
+            good++;
+        else
+            bad++;
+    }
+
+    if (good == len)
+        return 0;
+    else
+        return 0 - bad;
+}
+
 int fko_verify_hmac(fko_ctx_t ctx,
    const char * const hmac_key, const int hmac_key_len)
 {
@ -131,7 +157,7 @@ int fko_verify_hmac(fko_ctx_t ctx,

        if(res == FKO_SUCCESS)
        {
-            if(strncmp(hmac_digest_from_data,
+            if(constant_runtime_compare(hmac_digest_from_data,
                    ctx->msg_hmac, hmac_b64_digest_len) != 0)
            {
                res = FKO_ERROR_INVALID_DATA;