Implement constant-time comparison.

technion · Apr 15, 2014 · eeaf35f · eeaf35f
1 parent ed9199a
commit eeaf35f
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -11,13 +11,13 @@ CFLAGS_EXTRA?=-Wl,-rpath=.
 
 all: reference
 
-OBJS= crypto_scrypt-nosse.o sha256.o crypto_scrypt-hexconvert.o crypto-mcf.o b64.o crypto-scrypt-saltgen.o crypto_scrypt-check.o crypto_scrypt-hash.o
+OBJS= crypto_scrypt-nosse.o sha256.o crypto_scrypt-hexconvert.o crypto-mcf.o b64.o crypto-scrypt-saltgen.o crypto_scrypt-check.o crypto_scrypt-hash.o slowequals.o
 
 libscrypt.so.0: $(OBJS) 
 	$(CC)  $(LDFLAGS) -shared -o libscrypt.so.0  $(OBJS) -lm -lc
 	ar rcs libscrypt.a  $(OBJS)
 
-reference: libscrypt.so.0 main.o b64.o
+reference: libscrypt.so.0 main.o b64.o slowequals.o
 	ln -s -f libscrypt.so.0 libscrypt.so
 	$(CC) -Wall -o reference main.o  b64.o $(CFLAGS_EXTRA) -L.  -lscrypt
 

diff --git a/README.md b/README.md
@@ -55,6 +55,7 @@ Please compile and install with:
 BUGS
 ----
 SCRYPT_* constants are probably a little high for something like a Raspberry pi. Using '1' as SCRYPT_p is acceptable from a security and performance standpoint if needed. 
+Experiments were performed with using memset() to zero out passwords as they were checked. This often caused issues with calling applications where the password based have been passed as a const*. We highly recommend implementing your own zeroing function the moment this library is called.
 
 Notes on Code Development
 ------------------------

diff --git a/crypto_scrypt-check.c b/crypto_scrypt-check.c
@@ -4,6 +4,7 @@
 #include <math.h>
 
 #include "b64.h"
+#include "slowequals.h"
 #include "libscrypt.h"
 
 /* pow() works with doubles. Sounds like it should cast to int correctly,
@@ -25,6 +26,11 @@ static uint16_t ipow(uint16_t base, uint32_t exp)
 
 int libscrypt_check(char *mcf, char *password)
 {
+    /* Return values:
+     * <0 error
+     * == 0 password incorrect
+     * >0 correct password
+     */
 
 	uint32_t params;
 	uint16_t N;
@@ -87,11 +93,11 @@ int libscrypt_check(char *mcf, char *password)
 	if ( !tok )
 		return -1;
 
-	if(strcmp(tok, outbuf) == 0)
+	if(slow_equals(tok, outbuf) == 0)
 	{
-		return 1;
+		return 0;
 	}
 
-	return 0;
+	return 1; /* This is the "else" condition */
 }
 
diff --git a/slowequals.c b/slowequals.c
@@ -0,0 +1,26 @@
+#include <string.h>
+
+/* Implements a constant time version of strcmp()
+ * Will return 1 if a and b are equal, 0 if they are not */
+int slow_equals(const char* a, const char* b)
+{
+    size_t lena, lenb, diff, i;
+    lena = strlen(a);
+    lenb = strlen(b);
+    diff = strlen(a) ^ strlen(b);
+
+    for(i=0; i<lena && i<lenb; i++)
+    {
+        diff |= a[i] ^ b[i];
+    }
+    if (diff == 0)
+    {
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+
diff --git a/slowequals.h b/slowequals.h
@@ -0,0 +1,5 @@
+
+/* Implements a constant time version of strcmp()
+ * Will return 1 if a and b are equal, 0 if they are not */
+int slow_equals(const char* a, const char* b);
+