Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timing Attack Vulnerability #3

Closed
paragonie-scott opened this issue Jan 25, 2016 · 1 comment
Closed

Timing Attack Vulnerability #3

paragonie-scott opened this issue Jan 25, 2016 · 1 comment
Assignees
@timestretch

Comments

@paragonie-scott
Copy link

http://www.openwall.com/lists/oss-security/2016/01/24/10

Problematic line:

ruby_rncryptor/lib/ruby_rncryptor.rb

Line 27 in 5fff939

verified = [HMAC.hexdigest('sha256', hmac_key, msg)].pack('H*') == hmac

@timestretch timestretch self-assigned this Jan 26, 2016
@timestretch
Copy link
Member

Thanks for the report! I just pushed v3.0.1 which uses the eql_time_cmp method from the openssl docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timestretch timestretch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timestretch @paragonie-scott