HMAC may have timing comparision problem #655
Labels
Comments
subnetmarco
changed the title
This was referenced Nov 10, 2015
shashiranjan84
pushed a commit
that referenced
this issue
Nov 10, 2015
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Creating this ticked in reference to tweet
Not sure what exactly Alex meant, most probably he is referring to following line of code, where clock skew test is done twice, once for X-Date and if it fails then for Date header and each time ngx_parse_time is called to get the current time. Ideally ngx_parse_time should be called once and passed as an argument.
" -- validate clock skew
if not (validate_clock_skew(headers, X_DATE, conf.clock_skew) or validate_clock_skew(headers, DATE, conf.clock_skew)) then
responses.send_HTTP_FORBIDDEN("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication")
end
"
Update: Issue is how digest being compared, solution: http://codahale.com/a-lesson-in-timing-attacks/
The text was updated successfully, but these errors were encountered: