Compare MACs in constant time to prevent timing attacks

Fixes bug #12.
2024-11-22 07:53:31 +01:00 · 2014-10-16 22:18:02 +02:00 · 2014-10-16 22:18:02 +02:00 · 87fac6af57
commit 87fac6af57
parent 8bda1c8a46
1 changed files with 8 additions and 4 deletions
--- a/encfs/MACFileIO.cpp
+++ b/encfs/MACFileIO.cpp
@ -206,11 +206,17 @@ ssize_t MACFileIO::readOneBlock( const IORequest &req ) const
            uint64_t mac = cipher->MAC_64( tmp.data + macBytes, 
                    readSize - macBytes, key );

+            // Constant time comparision to prevent timing attacks
+            unsigned char fail = 0;
            for(int i=0; i<macBytes; ++i, mac >>= 8)
            {
                int test = mac & 0xff;
                int stored = tmp.data[i];
-                if(test != stored)
+
+                fail |= (test ^ stored);
+            }
+
+            if( fail > 0 )
            {
                    // uh oh.. 
                    long blockNum = req.offset / bs;
@ -222,8 +228,6 @@ ssize_t MACFileIO::readOneBlock( const IORequest &req ) const
                        throw ERROR(
                                _("MAC comparison failure, refusing to read"));
                    }
-                    break;
-                }
            }
        }