A short while ago, I converted some memcmp calls in libssl to CRYPTO_memcmp. As noted at the time, it’s easier to assume something is secret and sensitive to timing attacks than to prove it’s not. However, one must be a little cautious because CRYPTO_memcmp, unlike its libc namesake memcmp, is actually an equality function (zero or not-zero) and not a comparison function (negative, zero, positive for less than, equal, greater than). (Don’t confuse it with OPENSSL_memcmp, which does have memcmp semantics, but is vulnerable to timing attacks because it’s not constant time.)

more...

A few days ago, jsing fixed a bug in libssl. It’s not the end of the world, but it’s a bug. Here’s the diff.

 int
 ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p)
 {
-	int ret;
-	ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
-	p += ret;
-	ret += ssl3_handshake_mac(s, NID_sha1, sender, len, p);
-	return (ret);
+	int ret_md5, ret_sha1;
+
+	ret_md5 = ssl3_handshake_mac(s, NID_md5, sender, len, p);
+	if (ret_md5 == 0)
+		return 0;
+	p += ret_md5;
+	ret_sha1 = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
+	if (ret_sha1 == 0)
+		return 0;
+	return (ret_md5 + ret_sha1);
 }
 
 static int

Two variables are introduced, one for each function called, and the local variable for this function’s return value is removed.

Now look at the OpenSSL fix for the same bug.

 int ssl3_final_finish_mac(SSL *s, 
 	     const char *sender, int len, unsigned char *p)
 	{
-	int ret;
+	int ret, sha1len;
 	ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
+	if(ret == 0)
+		return 0;
+
 	p+=ret;
-	ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+
+	sha1len=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+	if(sha1len == 0)
+		return 0;
+
+	ret+=sha1len;
 	return(ret);
 	}
 static int ssl3_handshake_mac(SSL *s, int md_nid,

A new variable is introduced for one function, but the existing variable for this function’s return value continues to be used to store a called function’s return.

Why is this bad? As alluded to earlier, improper return checking bugs are rampant in TLS libraries. Apple’s #gotofail bug and the following week’s GnuTLS bypass were both caused by setting a return code too soon, and then bubbling it up. Here we have the identical bug (diminished in severity), and the opportunity to correct a poor practice by eliminating semantic overloading of variables. Why not take it?

A short program to demonstrate network filtering with Lua. Although the kernel provides pf filtering and some bandwidth shaping facilities, they don’t cover every scenario. For example, consider the case where our server is connected to a network port where we pay for some amount of bandwidth, but have burstable speeds much faster than that. Commonly seen as 95th percentile billing. As long as we’re under our five minute quota, we want to pass traffic full speed, but as we approach that mark, we want to start clamping down. The pf.conf burst queueing rules can’t quite handle this situation.

For more flexibility, we can pass all our network traffic through userland using tun and have an arbitrary program analyze and shape it. This setup requires a whole mess of virtual interfaces to be configured with ifconfig, but it’s really not so bad. We want to pass ethernet frames, so we use the link0 flag.

ifconfig tun0 create link0
ifconfig bridge0 create add em0 add tun0
ifconfig tun1 create link0
ifconfig vether0 create
ifconfig bridge1 create add vether0 add tun1

Now we have a vether interface connected, via bridges and tuns, to the network. We configure this interface with our IP (run dhclient if you like), and it effectively replaces em0 as the primary interface. This is an endpoint configuration; vether can be replaced by a physical interface for a router. All that’s missing is a program to pass traffic between the two tun interfaces.

Here’s a short Lua (luajit) program. It reads from the two tun interfaces and passes packets between them as they arrive. As the amount of traffic passed approaches our five minute quota, it starts probabilistically dropping packets. As written it lets you use 75% of your quota at full speed before rather sharply curtailing it. (As a bonus, it will occasionally print a frequency count of each byte to demonstrate other uses.)

netfilt.lua

See also trickle.

The key to a good password hashing function (whether it’s for storing the hash in an authentication system or to generate a key for encryption) is that it be slow. Well, not actually slow, but difficult. Well, not actually difficult, but expensive. The progression of hashing algorithms reflects this, from crypto to bcrypt to scrypt. The most frequently (only?) cited section of the scrypt paper is the table at the end comparing the cost to build cracking machines for various algorithms. The focus is on designing an algorithm that is computationally expensive, such that it becomes financially expensive to build a cracker. Nevertheless, as expensive as it would be, it is possible to build an scrypt cracker. What if we could use an algorithm that made it impossible, not just expensive, to build a cracking machine?

more...

Went to a movie this afternoon because it was raining. Because it was raining, the government issued a puddles of unusual depth alert, causing everybody’s phone to blow up mid movie, within the space of a few minutes. The weather catastrophe alert tone could have been a credible sound effect, coupled with some great positional surround sound, but all the lit up screens gave the trick away. Then it kept happening as the less important people were notified and started interrupting the movie. There’s always a few idiots who can’t turn their phone off, but the number of alerts received made it seem likely the alerts can override vibrate or even silent settings.

The good news is the alerts can be turned off (somewhere in phone settings) to avoid disturbance at the movies or elsewhere. I did so last summer after noticing alerts happen whenever it rains.

The movie was Edge of Tomorrow. I liked it. Groundhog Day meets Starship Troopers.

Amber Alert update: Amber Alert worked well. Apparently, their definition of success was waking people up at 4am, since there’s no mention of how the alert influenced the outcome of the children, which is how I would determine if it worked well or not.

Much has been written about the awfulness of Apple Maps, but sometimes it’s just awesome. I’m in California; I search for a Philz (because that’s what you do in the Bay Area), and I get... Philadelphia. iPhone knows me better than I thought.

Having lunch today in Startup Valley, breathing in the entrepreneurship and prepping my elevator pitches. Here’s my latest startup idea: Whiskme.

The number of small batch distilleries has increased tenfold in the past ten years, making it harder than ever for connoisseurs to sample the market’s many offerings. Whiskme is a peer to peer app that leverages the sharing economy to deliver rare and exotic whisky (and occasional whiskey) right to your door. Users of our location aware social network app list the contents of their whisky collection that they are willing to trade, and identify samples they would like to try. Then our advanced cloud based platform processes these requests using sophisticated machine learning algorithms to create potential swap pairs. When a match is found, both parties are notified via our app and a Lyft car is automatically dispatched to handle the physical transport. You never need to leave your home!

Any Wikipedia article that has been mathematized is practically guaranteed to be incomprehensible. And it’s definitely guaranteed to be illegible. The article for locality sensitive hashing doesn’t disappoint.

Why is math illiteracy rampant? Because nobody should be forced to read text like this unless they’re guilty of some heinous crime.

Sometimes I receive mail from people with msn.com (or outlook.com or live.com) email addresses. Legit mail, even including patches for OpenBSD (crazy!). Unfortunately my IP address was blacklisted, so my direct replies would bounce back to me. The good news is that Microsoft has a support form you can use to resolve this issue. The bad news is it asks 30 (thirty!) questions (all required!) about my business and my mailing list.

“What OS are you using?” OpenBSD

“What mail transport software are you using?” smtpd

“Provide the URL of your web site.” ok... www.tedunangst.com

“Provide the URL of your Privacy Policy.” uh...

“In what manner(s) are recipients added to your mailing list(s)?” I type it in the To: box. Sometimes I click reply.

“Please copy/paste samples of a few of the messages you’re sending.” (An email containing a patch for src/lib/libfuse. Bet they haven’t seen that before.)

The good news is somebody at Microsoft has decided I “qualify for conditional mitigation” until such time as I have “established a good reputation” according to the form letter response. The bad news I don’t know if anybody read my answers to their inane questions and had a chuckle, or just clicked the green button and moved on to the next spammer trying to cheat the system.

I’ve skirted around the issue of paging flak for some time. It’s not that it’s hard; it’s quite easy. Easy to do wrong, that is. As explained here page numbers should start at 1 for old posts. That part is easy, but it leaves open the question of what to put on the last (highest numbered) page.

Lacking an obvious technical solution, I turned to rationalizing the absence of the feature as a feature in its own right. Without an easy way to dig through old posts, I needn’t worry about keeping their content updated. Old posts naturally fade away and decompose.

There’s also a certain psychological trick involved, call it the pot of gold at the end of the rainbow. There’s the implied promise of posts worth reading, if only you knew the right search terms to find them. A wonderful conceit.

Ah, well, all good things must end. Punting on the issue of paging, I redefined the problem. There’s now a one page flak archive. Minimal info to keep it small, should scale for the next few years without too much trouble.