Add missing newline to usage message.

Use costant time memcmp.
Not strictly necessary for our threat model, since we won't be continuously trying to decrypt an attacker's files, which means a timing attack shouldn't be possible. It's still overall more correct. Constant time implementation borrowed from [1], but most constant time memcmp implementations I've seen used similar techniques. [1] https://github.com/veorq/cryptocoding#compare-secret-strings-in-constant-time
2021-11-07 23:58:09 -03:00 · 2021-11-07 23:46:49 -03:00
1 changed files with 11 additions and 2 deletions
--- a/cbc-file.c
+++ b/cbc-file.c
@ -42,9 +42,18 @@ CHACHA20POLY1305 = 1,
 };
 const enum encryption_type default_enctype = CHACHA20POLY1305;

+/* constant time */
+static int ct_memcmp(const void *va, const void *vb, size_t l)
+{
+	const unsigned char *a = va, *b = vb;
+	unsigned char rv = 0;
+	for (size_t i=0; i<l; i++) rv |= a[i] ^ b[i];
+	return rv;
+}
+
 static void usage(void)
 {
-	fputs("Usage: cbd-file lock|unlock <file>", stderr);
+	fputs("Usage: cbd-file lock|unlock <file>\n", stderr);
 	exit(1);
 }

@ -194,7 +203,7 @@ int main(int argc, char **argv)

 		uint8_t new_tag[TAG_LENGTH];
 		br_poly1305_ctmul_run(key, iv, buffer, bytes, aad, AAD_LENGTH, new_tag, br_chacha20_ct_run, 0);
-		if (memcmp(tag, new_tag, TAG_LENGTH)) {
+		if (ct_memcmp(tag, new_tag, TAG_LENGTH)) {
 			fputs("bad tag!\n", stderr);
 			return 1;
 		}