Re: streql - Constant-time string comparison

To: Joel Rees <joel.rees@gmail.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: streql - Constant-time string comparison
From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>
Date: Wed, 29 Oct 2014 06:59:30 +1100
Message-id: <[🔎] 544FF5A2.2010401@bitmessage.ch>
In-reply-to: <[🔎] CAAr43iMStL_-8iyGCre5fr76b7WH5Y12n=EAXLk4YQHZHL9h+g@mail.gmail.com>
References: <[🔎] 544F08AB.4000101@bitmessage.ch> <[🔎] CAAr43iMStL_-8iyGCre5fr76b7WH5Y12n=EAXLk4YQHZHL9h+g@mail.gmail.com>

On 29/10/14 00:20, Joel Rees wrote:
> On Tue, Oct 28, 2014 at 12:08 PM, Riley Baird
> <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch> wrote:
>> Dear debian-security,
>>
>> I am looking for a sponsor for my package "streql".
>>
>> In Python, the code for testing the equality of strings is susceptible
>> to a "timing side channel attack". The package 'streql' provides a
>> function for comparing strings of equal length in equal time, regardless
>> of the content of the strings.
>>
>> * Package name    : streql
>>   Version         : 3.0.2-1
>>   Upstream Author : Peter Scott <peter@cueup.com>
>> * URL             : https://github.com/PeterScott/streql
>> * License         : Apache 2.0
>>   Section         : python
>>
>> It builds those binary packages:
>>
>> python-streql - Constant-time string comparison (Python 2)
>> python3-streql - Constant-time string comparison (Python 3)
>> pypy-streql - Constant-time string comparison (PyPy)
>>
>> To access further information about this package, please visit the following
>> URL:
>>
>> http://mentors.debian.net/package/streql
>>
>> Alternatively, one can download the package with dget using this command:
>>
>> dget -x
>> http://mentors.debian.net/debian/pool/main/s/streql/streql_3.0.2-1.dsc
>>
>> Changes since last upload:
>>
>> * Initial release (Closes: #764443)
>>
>> Regards,
>> Riley Baird
> 
> Let me try this suggestion again:
> 
> -----------------------
> // The core function: test two regions of memory for bytewise equality.
> static int equals_internal(const char *x, unsigned int xlen, const
> char *y, unsigned int ylen) {
> 
> int minlen = ( xlen > ylen ) ? ylen : xlen;
> int i, result = 0;
> 
> for (i = 0; i < minlen; i++) result |= x[i] ^ y[i];
> 
> return ( xlen == ylen ) && ( result == 0 );
> -----------------------
> 
> I haven't tested it, but I think the corner case I'm thinking about is
> fairly clear.

As far as I can tell, your code ensures that even if the strings are of
different length, an equality calculation should be performed anyway,
however returning 0, on the grounds that this would make it more
difficult for an attacker to know that the two strings entered were of
different lengths. Is this right?

Reply to:

Follow-Ups:
- Re: streql - Constant-time string comparison
  - From: Richard van den Berg <richard@vdberg.org>

References:
- streql - Constant-time string comparison
  - From: Riley Baird <BM-2cVqnDuYbAU5do2DfJTrN7ZbAJ246S4Xix@bitmessage.ch>
- Re: streql - Constant-time string comparison
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: streql - Constant-time string comparison
Next by Date: Re: streql - Constant-time string comparison
Previous by thread: Re: streql - Constant-time string comparison
Next by thread: Re: streql - Constant-time string comparison
Index(es):
- Date
- Thread