Timing attack vulnerability

eudoxia0 / cl-pass

Password hashing and verification library

30 stars 5 forks source link

Timing attack vulnerability #5

Closed libre-man closed 7 years ago

libre-man commented 7 years ago

As stated in #1 the library contains a timing attack vulnerability. This could be easily solved by using a custom string= function such as this one:

(defun constant-string= (str1 str2)
  (declare (optimize (speed 3) (safety 0)))
  (check-type str1 string)
  (check-type str2 string)
  (loop :with res = (abs (- (length str1) (length str2)))
        :for c1 :across str1
        :for c2 :across str2
        :do (setq res (+ res (boole boole-xor (char-code c1) (char-code c2))))
        :finally (return (= res 0))))

eudoxia0 commented 7 years ago

Oh dang, I never realized this. I'm retarded. Will fix soon-ish.

eudoxia0 commented 7 years ago

Fixed in https://github.com/eudoxia0/cl-pass/commit/cff487d40d8768e56a37f55f6d25ce9508e9c127