Описание
httpsig-rs: HMAC verification is vulnerable to timing attack
Summary
HMAC signature comparison is not timing-safe and is vulnerable to timing attacks.
Details
SharedKey::sign() returns a Vec<u8> which has a non-constant-time equality implementation.
Hmac::finalize() returns a constant-time wrapper (CtOutput) which was discarded. Alternatively, Hmac has a constant-time verify() method.
The problem reported here is due to the following lines in SharedKey::sign() of the previous code:
and the merged update changes the third line to directly verify with verify_slice.
Impact
Anyone who uses HS256 signature verification is vulnerably to Timing Attack that allows the attacker to forge a signature.
Пакеты
httpsig
< 0.0.19
0.0.19
Связанные уязвимости
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue.