Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
2 check-ins using file src/blob.c version 2fac98d117
|
2011-10-04
| ||
| 14:28 | Revert the previous change after thinking more about it. Login cards in the sync protocol have the following format: login userid nonce signature Nonce is SHA-1 of the message that follows this line, signature is SHA-1 of the concatenation of the nonce and user's shared secret. The successful timing attack can reveal only signature for this particular packet due to nonce. However, as nonce is known to the attacker, it's theoretically possible for them to bruteforce the shared secret_offline_. The whole scenario sounds highly improbable, but using constant-time comparison function for such things by default is a good practice. ... (check-in: 13a9a1244c user: dmitry tags: dmitry-security) | |
|
2011-09-30
| ||
| 09:41 | Catch zero length early in blob_constant_time_eq(). ... (check-in: e3d022dffa user: dmitry tags: dmitry-security) | |