vincenzopalazzo
/
arti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Intoduce1: Use a constant-time check for all-zero RsaIdentity 

As a matter of good crypto practice, we shouldn't use
short-circuiting checks to compare keys or key-like objects, since
the amount of time taken by those checks can leak information about
their inputs.

I don't think it's actually _necessary_ to use a constant-time
operation in this case, but let's establish the precedent.

This is a follow-up to !724.
This commit is contained in:
Nick Mathewson 2022-09-20 09:36:49 -04:00
parent 657914f778
commit 3e922e5ede
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
crates/tor-cell/src/relaycell/onion_service.rs
View File

@ -7,6 +7,7 @@ use super::msg;
use caret::caret_int;
use tor_bytes::{EncodeError, EncodeResult, Error as BytesError, Readable, Result, Writeable};
use tor_bytes::{Reader, Writer};
use tor_llcrypto::pk::rsa::RsaIdentity;
use tor_units::BoundedInt32;
caret_int! {
@ -269,8 +270,8 @@ impl msg::Body for Introduce1 {
msg::RelayMsg::Introduce1(self)
}
fn decode_from_reader(r: &mut Reader<'_>) -> Result<Self> {
let legacy_key_id: [u8; 20] = r.extract()?;
if legacy_key_id.iter().any(|b| *b != 0_u8) {
let legacy_key_id: RsaIdentity = r.extract()?;
if !legacy_key_id.is_zero() {
return Err(BytesError::BadMessage("legacy key id in Introduce1."));
}
let auth_key_type = r.take_u8()?.into();