2011-09-30 09:41:05
— part of check-in
[e3d022dffa]
on branch dmitry-security
— Catch zero length early in blob_constant_time_eq().
(user:
dmitry
size: 26278)
2011-10-04 14:28:00
— part of check-in
[13a9a1244c]
on branch dmitry-security
— Revert the previous change after thinking more about it.
Login cards in the sync protocol have the following format:
login userid nonce signature
Nonce is SHA-1 of the message that follows this line, signature is SHA-1 of the concatenation of the nonce and user's shared secret. The successful timing attack can reveal only signature for this particular packet due to nonce. However, as nonce is known to the attacker, it's theoretically possible for them to bruteforce the shared secret_offline_.
The whole scenario sounds highly improbable, but using constant-time comparison function for such things by default is a good practice.
(user:
dmitry
size: 26278)