[chrony-dev] [Git][chrony/chrony][master] 3 commits: util: add function for constant-time memory comparison

["Miroslav Lichvar (@mlichvar)" <gitlab@xxxxxxxxxxxxx>]

Title: GitLab

Miroslav Lichvar pushed to branch master at chrony / chrony

Commits:

• dab98fa8
  by Miroslav Lichvar at 2025-04-03T16:05:04+02:00

  util: add function for constant-time memory comparison
  
  Add a function to check if two buffers of the same length contain the
  same data, but do the comparison in a constant time with respect to the
  returned value to avoid creating a timing side channel, i.e. the time
  depends only on the buffer length, not on the content.
  
  Use the gnutls_memcmp() or nettle_memeql_sec() functions if available,
  otherwise use the same algorithm as nettle - bitwise ORing XORed data.
  

• d115449e
  by Miroslav Lichvar at 2025-04-03T16:27:02+02:00

  keys: compare MACs in constant time
  
  Switch from memcmp() to the new constant-time function to compare the
  received and expected authentication data generated with a symmetric key
  (NTP MAC or AES CMAC).
  
  While this doesn't seem to be strictly necessary with the current
  code, it is a recommended practice to prevent timing attacks. If
  memcmp() compared the MACs one byte at a time (a typical memcmp()
  implementation works with wider integers for better performance) and
  chronyd as an NTP client/server/peer was leaking the timing of the
  comparison (e.g. in the monitoring protocol), an attacker might be able
  for a given NTP request or response find in a sequence the individual
  bytes of the MAC by observing differences in the timing over a large
  number of attempts. However, this process would likely be so slow the
  authenticated request or response would not be useful in a MITM attack
  as the expected origin timestamp is changing with each poll.
  
  Extend the keys unit test to compare the time the function takes to
  compare two identical MACs and MACs differing in the first byte
  (maximizing the timing difference). It should fail if the compiler's
  optimizations figure out the function can return early. The test is not
  included in the util unit test to avoid compile-time optimizations with
  the function and its caller together. The test can be disabled by
  setting NO_TIMING_TESTS environment variable if it turns out to be
  unreliable.
  

• f7daec06
  by Miroslav Lichvar at 2025-04-03T16:27:26+02:00

  sys_timex: detect clock interference from other processes
  
  After an ntp_adjtime()/adjtimex() call, check if the frequency, PLL time
  constant and PLL status are as expected from the previous call. If they
  changed, log a warning message to indicate that another NTP client might
  be running on the system and interfering with the system clock.
  

7 changed files:

• configure
• keys.c
• sys_timex.c
• test/unit/keys.c
• test/unit/util.c
• util.c
• util.h

—
View it on GitLab.
You're receiving this email because of your account on gitlab.com.. Manage all notifications · Help