Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Use secure_compare for hmac comparison

 * Closes CVE-2013-0263
  • Loading branch information...
commit 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 1 parent 9a81b96
James Tucker raggi authored
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/rack/session/cookie.rb
2  lib/rack/session/cookie.rb
View
@@ -159,7 +159,7 @@ def destroy_session(env, session_id, options)
def digest_match?(data, digest)
return unless data && digest
@secrets.any? do |secret|
- digest == generate_hmac(data, secret)
Tony Arcieri
tarcieri added a note

Heh, funny, I looked for this vulnerability in Rails recently and saw they were using a (wonky) constant-time comparison function. Didn't think to look in Rack. Crypto is hard :(

More support for RbNaCl :+1:

Tony Arcieri
tarcieri added a note

Constant time comparison function? Yeah, RbNaCl's got one of those (and full HMAC as implemented by Dan Bernstein): https://github.com/cryptosphere/rbnacl/blob/master/lib/rbnacl/util.rb#L40

James Tucker Owner
raggi added a note

Saddest thing about this is, @codahale reported this 3 years ago, and I even responded then, but I was too dumb to get it, and not running releases (probably good). Anyway, I was wrong then, and we were wrong not to deal with it.

Tony Arcieri
tarcieri added a note

@raggi again, crypto is hard ;(

James Tucker Owner
raggi added a note

@tarcieri thing that really gets me though, is that these days I'm very clearly aware of how critical timing attacks are. I had some generally knowledgable folks telling me it's not really viable over the last couple of days. Well, when you're inside the Cloud, you're basically on a LAN. This is totally viable inside [insert cloud service here].

Tony Arcieri
tarcieri added a note

Know a timing attack:

Screen Shot 2013-02-07 at 10 06 03 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
end
end
Tony Arcieri

Heh, funny, I looked for this vulnerability in Rails recently and saw they were using a (wonky) constant-time comparison function. Didn't think to look in Rack. Crypto is hard :(

David Chapman

More support for RbNaCl :+1:

Tony Arcieri

Constant time comparison function? Yeah, RbNaCl's got one of those (and full HMAC as implemented by Dan Bernstein): https://github.com/cryptosphere/rbnacl/blob/master/lib/rbnacl/util.rb#L40

James Tucker

Saddest thing about this is, @codahale reported this 3 years ago, and I even responded then, but I was too dumb to get it, and not running releases (probably good). Anyway, I was wrong then, and we were wrong not to deal with it.

Tony Arcieri

@raggi again, crypto is hard ;(

James Tucker

@tarcieri thing that really gets me though, is that these days I'm very clearly aware of how critical timing attacks are. I had some generally knowledgable folks telling me it's not really viable over the last couple of days. Well, when you're inside the Cloud, you're basically on a LAN. This is totally viable inside [insert cloud service here].

Tony Arcieri

Know a timing attack:

Screen Shot 2013-02-07 at 10 06 03 PM

Please sign in to comment.
Something went wrong with that request. Please try again.