Folks, security@ got a notification of a potential side channel attack. The original message is below (sans details on the poster who wants to remain private).
In short - we’re comparing the digest in mod-auth-digest in a manner that may reveal how much is actually correct; leading potentially to a timing attack. After discussing this on security@ we surmised that the risks are not overly high; and that fixing this may warrant some wider discussion/more eyeballs across the code base for similar things. Options discussed sofar on security@ and general thoughts are: 1) adding a timing safe compare to util_md5.c (for now) with an idea to move this to APR longer term. Besides the link below - https://github.com/jedisct1/libsodium/blob/master/src/libsodium/sodium/utils.c#L82 <https://github.com/jedisct1/libsodium/blob/master/src/libsodium/sodium/utils.c#L82> and the openbsd one was mentioned. 2) The mail below just comparison; there is an earlier strcmp comparision there as well. 3) In general - string comparisons are more messy; as there is the length (difference) issue that is harder to hide. And moving the comparision into sha/md5 space is not trivial without a length related side channel on the checksum. 4) Is this also a moment to reconsider the use of md5; and go to a decent SHA ? 5) We have lots of other places which may need a bit of thought; Yann mentioned places like: Eg. strncmp(), strlen(), str[n]cat(), memcpy() and memcmp() are used by apr_md5_encode(), apr_password_validate(), apr_sha1_update(), … Avoiding timing attacks requires at least to not use these functions in APR crypto, and have their equivalent there, and then use them where appropriate in httpd. Thanks, Dw. >> -------- Forwarded Message -------- >> Subject: httpd: Side Channel Attack >> Date: Tue, 19 May 2015 18:15:57 +0700 >> >> Hi There, >> >> Since memcmp() performs a "byte-by-byte" comparison and do not execute >> in constant-time, you need to use a better function. >> >> Vuln code which is vulnerable to timing attacks: >> >> --------- >> ./modules/slotmem/mod_slotmem_shm.c:215: if (memcmp(digest, digest2, >> APR_MD5_DIGESTSIZE)) { >> >> ./modules/aaa/mod_auth_digest.c:1426: if >> (memcmp(resp->client->last_nonce, resp->nonce, NONCE_LEN)) { >> >> ./modules/ssl/ssl_ct_log_config.c:282: if (memcmp(computed_log_id, >> log_id_bin, LOG_ID_SIZE)) { >> --------- >> >> Please take a look memcmp_nta() http://lkml.org/lkml/2013/2/10/13 >> <http://lkml.org/lkml/2013/2/10/13>