The comparison functions were using strcmp which compares each character at a time checking for non-matches, at the first non-match it bails returning -1, 0 or 1. This is how timing attacks are formed.
@thegoleffect asked about whether this module was vulnerable to this kind of attack. I looked into it and believe it is.
The comparison functions were using
strcmpwhich compares each character at a time checking for non-matches, at the first non-match it bails returning -1, 0 or 1. This is how timing attacks are formed.@thegoleffect asked about whether this module was vulnerable to this kind of attack. I looked into it and believe it is.