Fix potential timing attack in parsing messages

coyim · May 21, 2020 · 240c893 · 240c893
1 parent 1622e41
commit 240c893
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 30 deletions.
diff --git a/ake.go b/ake.go
@@ -323,14 +323,10 @@ func verifyEncryptedSignatureMAC(encryptedSig []byte, theirMAC []byte, keys *ake
 
 func (c *Conversation) parseTheirKey(key []byte) (sig []byte, keyID uint32, err error) {
 	var rest []byte
-	var ok bool
+	var ok, ok2 bool
 	rest, ok, c.theirKey = ParsePublicKey(key)
-	if !ok {
-		return nil, 0, errCorruptEncryptedSignature
-	}
-
-	sig, keyID, ok = gotrax.ExtractWord(rest)
-	if !ok {
+	sig, keyID, ok2 = gotrax.ExtractWord(rest)
+	if !(ok && ok2) {
 		return nil, 0, errCorruptEncryptedSignature
 	}
 

diff --git a/auth_state_machine.go b/auth_state_machine.go
@@ -121,15 +121,11 @@ func (s authStateAwaitingRevealSig) receiveDHCommitMessage(c *Conversation, msg
 
 func (s authStateAwaitingDHKey) receiveDHCommitMessage(c *Conversation, msg []byte) (authState, messageWithHeader, error) {
 	newMsg, _, ok := gotrax.ExtractData(msg)
-	if !ok {
+	_, theirHashedGx, ok2 := gotrax.ExtractData(newMsg)
+	if !(ok && ok2) {
 		return s, nil, errInvalidOTRMessage
 	}
-
-	_, theirHashedGx, ok := gotrax.ExtractData(newMsg)
-	if !ok {
-		return s, nil, errInvalidOTRMessage
-	}
-
+
 	gxMPI := gotrax.AppendMPI(nil, c.ake.ourPublicValue)
 	hashedGx := c.version.hash2(gxMPI)
 	//If yours is the higher hash value:

diff --git a/messages.go b/messages.go
@@ -42,17 +42,14 @@ func (c dhCommit) serialize() []byte {
 }
 
 func (c *dhCommit) deserialize(msg []byte) error {
-	var ok bool
-	msg, c.encryptedGx, ok = gotrax.ExtractData(msg)
-	if !ok {
-		return newOtrError("corrupt DH commit message")
-	}
+	msg, g, ok := gotrax.ExtractData(msg)
+	_, h, ok2 := gotrax.ExtractData(msg)
 
-	_, h, ok := gotrax.ExtractData(msg)
-	if !ok {
+	if !(ok && ok2) {
 		return newOtrError("corrupt DH commit message")
 	}
 
+	c.encryptedGx = g
 	c.yhashedGx = h
 	return nil
 }
@@ -92,16 +89,11 @@ func (c revealSig) serialize(v otrVersion) []byte {
 
 func (c *revealSig) deserialize(msg []byte, v otrVersion) error {
 	in, r, ok := gotrax.ExtractData(msg)
-	if len(r) != 16 {
-		return newOtrError("corrupt reveal signature message")
-	}
-
-	if !ok {
-		return newOtrError("corrupt reveal signature message")
-	}
+	okLen := len(r) == 16
+	macSig, encryptedSig, ok2 := gotrax.ExtractData(in)
+	okLen2 := len(macSig) == v.truncateLength()
 
-	macSig, encryptedSig, ok := gotrax.ExtractData(in)
-	if !ok || len(macSig) != v.truncateLength() {
+	if !(ok && ok2 && okLen && okLen2) {
 		return newOtrError("corrupt reveal signature message")
 	}