Folks,
security@ got a notification of a potential side channel attack. The original
message is below (sans details on the poster who wants to remain private).
In short - we’re comparing the digest in mod-auth-digest in a manner that may
reveal how much is actually correct; leading potentially to a timing attack.
After discussing this on security@ we surmised that the risks are not overly
high; and that fixing this may warrant some wider discussion/more eyeballs
across the code base for similar things.
Options discussed sofar on security@ and general thoughts are:
1) adding a timing safe compare to util_md5.c (for now) with
an idea to move this to APR longer term.
Besides the link below -
https://github.com/jedisct1/libsodium/blob/master/src/libsodium/sodium/utils.c#L82
<https://github.com/jedisct1/libsodium/blob/master/src/libsodium/sodium/utils.c#L82>
and the openbsd one was mentioned.
2) The mail below just comparison; there is an earlier strcmp
comparision there as well.
3) In general - string comparisons are more messy; as there is the length
(difference)
issue that is harder to hide. And moving the comparision into sha/md5
space is
not trivial without a length related side channel on the checksum.
4) Is this also a moment to reconsider the use of md5; and go to a decent
SHA ?
5) We have lots of other places which may need a bit of thought; Yann
mentioned places
like: Eg. strncmp(), strlen(), str[n]cat(), memcpy() and memcmp() are
used
by apr_md5_encode(), apr_password_validate(), apr_sha1_update(), …
Avoiding timing attacks requires at least to not use these functions
in APR crypto, and have their equivalent there, and then use them
where appropriate in httpd.
Thanks,
Dw.
>> -------- Forwarded Message --------
>> Subject: httpd: Side Channel Attack
>> Date: Tue, 19 May 2015 18:15:57 +0700
>>
>> Hi There,
>>
>> Since memcmp() performs a "byte-by-byte" comparison and do not execute
>> in constant-time, you need to use a better function.
>>
>> Vuln code which is vulnerable to timing attacks:
>>
>> ---------
>> ./modules/slotmem/mod_slotmem_shm.c:215: if (memcmp(digest, digest2,
>> APR_MD5_DIGESTSIZE)) {
>>
>> ./modules/aaa/mod_auth_digest.c:1426: if
>> (memcmp(resp->client->last_nonce, resp->nonce, NONCE_LEN)) {
>>
>> ./modules/ssl/ssl_ct_log_config.c:282: if (memcmp(computed_log_id,
>> log_id_bin, LOG_ID_SIZE)) {
>> ---------
>>
>> Please take a look memcmp_nta() http://lkml.org/lkml/2013/2/10/13
>> <http://lkml.org/lkml/2013/2/10/13>
