diff options
author | drebs <drebs@leap.se> | 2013-07-25 11:07:06 -0300 |
---|---|---|
committer | drebs <drebs@leap.se> | 2013-07-25 11:10:00 -0300 |
commit | 47b755f47792aa53b8345b0ef05796ee7c7a39e6 (patch) | |
tree | 001b520551801bb1b8504de8427f8c9538c184a1 | |
parent | 8e4d572553a40257edc396a04689e4e42be807f3 (diff) |
Avoid possible timing attack in hash comparison (closes #3243)
-rw-r--r-- | soledad/changes/bug_3243-avoid-possible-timing-attack-in-hash-comparison | 2 | ||||
-rw-r--r-- | soledad/src/leap/soledad/target.py | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/soledad/changes/bug_3243-avoid-possible-timing-attack-in-hash-comparison b/soledad/changes/bug_3243-avoid-possible-timing-attack-in-hash-comparison new file mode 100644 index 00000000..0794b1ab --- /dev/null +++ b/soledad/changes/bug_3243-avoid-possible-timing-attack-in-hash-comparison @@ -0,0 +1,2 @@ + o Avoid possible timing attack in document's mac comparison by comparing + hashes instead of plain macs. Closes #3243. diff --git a/soledad/src/leap/soledad/target.py b/soledad/src/leap/soledad/target.py index 8b7aa8c7..9fac9f54 100644 --- a/soledad/src/leap/soledad/target.py +++ b/soledad/src/leap/soledad/target.py @@ -231,7 +231,14 @@ def decrypt_doc(crypto, doc): crypto, doc.doc_id, doc.rev, ciphertext, doc.content[MAC_METHOD_KEY]) - if binascii.a2b_hex(doc.content[MAC_KEY]) != mac: # mac is stored as hex. + # we compare mac's hashes to avoid possible timing attacks that might + # exploit python's builtin comparison operator behaviour, which fails + # immediatelly when non-matching bytes are found. + doc_mac_hash = hashlib.sha256( + binascii.a2b_hex( # the mac is stored as hex + doc.content[MAC_KEY])).digest() + calculated_mac_hash = hashlib.sha256(mac).digest() + if doc_mac_hash != calculated_mac_hash: raise WrongMac('Could not authenticate document\'s contents.') # decrypt doc's content enc_scheme = doc.content[ENC_SCHEME_KEY] |