Closed libre-man closed 7 years ago
As stated in #1 the library contains a timing attack vulnerability. This could be easily solved by using a custom string= function such as this one:
string=
(defun constant-string= (str1 str2) (declare (optimize (speed 3) (safety 0))) (check-type str1 string) (check-type str2 string) (loop :with res = (abs (- (length str1) (length str2))) :for c1 :across str1 :for c2 :across str2 :do (setq res (+ res (boole boole-xor (char-code c1) (char-code c2)))) :finally (return (= res 0))))
Oh dang, I never realized this. I'm retarded. Will fix soon-ish.
Fixed in https://github.com/eudoxia0/cl-pass/commit/cff487d40d8768e56a37f55f6d25ce9508e9c127
As stated in #1 the library contains a timing attack vulnerability. This could be easily solved by using a custom
string=
function such as this one: