Security: Use constant-time comparison for HMAC verification #23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix potential timing attack vulnerability in HMAC signature verification.
The previous implementation used Ruby's == operator for comparing signatures:
signature == sign(data)
This is vulnerable to timing attacks because == performs byte-by-byte
comparison and returns false as soon as it finds a mismatch. An attacker
can measure response times to determine how many leading bytes of their
forged signature match the valid signature, potentially allowing them to
construct a valid signature over many requests.
The fix uses OpenSSL.secure_compare which performs constant-time comparison:
OpenSSL.secure_compare(signature, sign(data))
This always takes the same amount of time regardless of where (or if) the
strings differ, preventing timing-based information leakage.
Changes:
- Replace == with OpenSSL.secure_compare in HMAC::Key#verify
- Add tests verifying the secure comparison is used
- Add tests for various HMAC verification scenarios
Security Impact:
- Mitigates CWE-208: Observable Timing Discrepancy
- No functional changes to signature verification behavior
- Compatible with existing OpenSSL >= 3.0 requirement
References:
- https://cwe.mitre.org/data/definitions/208.html
- https://codahale.com/a-lesson-in-timing-attacks/
Co-authored-by: Shelley <shelley@exe.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix potential timing attack vulnerability in HMAC signature verification.
The previous implementation used Ruby's == operator for comparing signatures:
This is vulnerable to timing attacks because == performs byte-by-byte comparison and returns false as soon as it finds a mismatch. An attacker can measure response times to determine how many leading bytes of their forged signature match the valid signature, potentially allowing them to construct a valid signature over many requests.
The fix uses OpenSSL.secure_compare which performs constant-time comparison:
This always takes the same amount of time regardless of where (or if) the strings differ, preventing timing-based information leakage.
Changes:
Security Impact:
References: