[prev in list] [next in list] [prev in thread] [next in thread]
List: ntp-bugs
Subject: [ntp:bugs] [Bug 2879] Improve NTP security against timing attacks
From: bugzilla-daemon () ntp ! org
Date: 2015-12-12 10:44:34
Message-ID: bug-2879-1197-OAcAUXD68c () http ! bugs ! ntp ! org/
[Download RAW message or body]
https://bugs.ntp.org/show_bug.cgi?id=2879
Juergen Perlinger <perlinger@ntp.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|IN_PROGRESS |READY
--- Comment #5 from Juergen Perlinger <perlinger@ntp.org> 2015-12-12 10:44:34 UTC ---
Loganaden, thanks for the patch.
Unfortunately there have been several issues I had to address when integrating
your changes:
1. The code for 'timingsafe_memcmp()' you gave is *not* portable C. I know this
thing is out in the wild, but that doesn't make it portable. (I think I
remember a discussion about this issue earlier this year.)
2.) You patched libisc to use a function from libntp, while it should be the
other way round.
So I rewrote the compare from scratch in a way that should not exhibit any
platform dependencies (well, 'unsigned int' must be wider than 'unsigned
char'...) and placed it under the lib/isc subtree. That resulted in some
renaming. There was also actually one instance where using the time-safe
compare was not necessary, as only the existence of a non-null digest was
tested.
And I added some unit tests for the compare function.
Harlan, the repo is in
psp.ntp.org:~perlinger/ntp-stable-2879
--
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
bugs-announce mailing list
bugs-announce@lists.ntp.org
http://lists.ntp.org/listinfo/bugs-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic