Time attack protection on hmac comparison

sebsauvage · sebsauvage · commit 0b4db7ece313 · 2014-02-06T22:52:17.000+01:00
This fixes issue 2.7 of https://defuse.ca/audits/zerobin.htm, and thus (with commit a24212a) also issue 2.8.
diff --git a/index.php b/index.php
@@ -39,6 +39,19 @@ function trafic_limiter_canPass($ip)
     return true;
 }
 
+// Constant time string comparison.
+// (Used to deter time attacks on hmac checking. See section 2.7 of https://defuse.ca/audits/zerobin.htm)
+function slow_equals($a, $b)
+{
+    $diff = strlen($a) ^ strlen($b);
+    for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
+    {
+        $diff |= ord($a[$i]) ^ ord($b[$i]);
+    }
+    return $diff === 0;
+}
+
+
 /* Convert paste id to storage path.
    The idea is to creates subdirectories in order to limit the number of files per directory.
    (A high number of files in a single directory can slow things down.)
@@ -309,7 +322,7 @@ function processPasteDelete($pasteid,$deletetoken)
         }
     }
 
-    if ($deletetoken != hash_hmac('sha1', $pasteid , getServerSalt())) // Make sure token is valid.
+    if (!slow_equals($deletetoken, hash_hmac('sha1', $pasteid , getServerSalt()))) // Make sure token is valid.
     {
         return array('','Wrong deletion token. Paste was not deleted.','');
     }

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,19 @@ function trafic_limiter_canPass($ip)`
`39`	`39`	`return true;`
`40`	`40`	`}`
`41`	`41`
	`42`	`+// Constant time string comparison.`
	`43`	`+// (Used to deter time attacks on hmac checking. See section 2.7 of https://defuse.ca/audits/zerobin.htm)`
	`44`	`+function slow_equals($a, $b)`
	`45`	`+{`
	`46`	`+ $diff = strlen($a) ^ strlen($b);`
	`47`	`+ for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)`
	`48`	`+ {`
	`49`	`+ $diff \|= ord($a[$i]) ^ ord($b[$i]);`
	`50`	`+ }`
	`51`	`+ return $diff === 0;`
	`52`	`+}`
	`53`	`+`
	`54`	`+`
`42`	`55`	`/* Convert paste id to storage path.`
`43`	`56`	`The idea is to creates subdirectories in order to limit the number of files per directory.`
`44`	`57`	`(A high number of files in a single directory can slow things down.)`
`@@ -309,7 +322,7 @@ function processPasteDelete($pasteid,$deletetoken)`
`309`	`322`	`}`
`310`	`323`	`}`
`311`	`324`
`312`		`- if ($deletetoken != hash_hmac('sha1', $pasteid , getServerSalt())) // Make sure token is valid.`
	`325`	`+ if (!slow_equals($deletetoken, hash_hmac('sha1', $pasteid , getServerSalt()))) // Make sure token is valid.`
`313`	`326`	`{`
`314`	`327`	`return array('','Wrong deletion token. Paste was not deleted.','');`
`315`	`328`	`}`