Skip to content

Comparator possibly vulnerable to timing attacks. #13

Description

@ncb000gt

The comparison functions were using strcmp which compares each character at a time checking for non-matches, at the first non-match it bails returning -1, 0 or 1. This is how timing attacks are formed.

@thegoleffect asked about whether this module was vulnerable to this kind of attack. I looked into it and believe it is.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions