Thanks for the warning.
I'd be happy to fix the Java code, but I'll need some guidance. The
last time someone pointed out this attack, I attempted a defense; that
is the signature validation functions call a function like the
following (in OAuthSignatureMethod.java). I don't know how to improve
on this.
public static boolean equals(byte[] a, byte[] b) {
if (a == null)
return b == null;
else if (b == null)
return false;
else if (b.length <= 0)
return a.length <= 0;
byte diff = (byte) ((a.length == b.length) ? 0 : 1);
int j = 0;
for (int i = 0; i < a.length; ++i) {
diff |= a[i] ^ b[j];
j = (j + 1) % b.length;
}
return diff == 0;
}
On Jul 14, 5:30 am, taylor <[email protected]> wrote:
> There is a timing vulnerability in the following functions/files:
>
> check_signature in file python/oauth/oauth.py
> isValid in java/core/src/main/java/net/oauth/signature/HMAC_SHA1.java
> equals in java/core/src/main/java/net/oauth/OAuth.java
> check_signature in php/OAuth.php
> verify in ruby/oauth/oauth/signature/base.rb
>
> There may be additional timing vulnerabilities present in OAuth,
> especially in implementations for other languages.
>
> The ==, !=, and Arrays.equals functions terminate early, allowing an
> attacker to
> incrementally guess the correct HMAC for an arbitrary message by
> repeatedly sending a bogus message with a given HMAC and measuring how
> long it takes for the server to terminate the connection. Since the
> comparison takes longer the more bytes an attacker gets correct, this
> allows a client to forge messages with arbitrary contents that will be
> accepted as valid by the server.
>
> The fix is simple -- implement a function that is timing-independent
> for comparing secret values.
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
