Hi all,
We can be more conservative.
So 127 is not long enough for SHA-512, make it 256 for larger hashes?
On Tue, Feb 4, 2014 at 5:57 AM, Yasuo Ohgaki <[email protected]> wrote:
> Length leak is known issue and we may improve these. There was discussion
> for this.
> For the sake of completeness, we may address issues now or later.
>
> To be honest, I think length leak must be avoided especially for shorter
> strings.
> It would be better to iterate at least 100 times regardless of input.
>
> Perhaps, something like
>
> + /**
> + * If known_string has a length of 0 we set the length to 1,
> + * this will cause us to compare all bytes of userString with the null
> byte which fails
> + */
> + mod_len = MAX(known_len, 1);
> len = MAX(known_len, 127);
>
len = MAX(known_len, 256);
> +
> + /* This is security sensitive code. Do not optimize this for speed. */
> + result = known_len - user_len;
>
> + for (j = 0; j < user_len; j++) {
>
> for (j = 0; j < len; j++) {
>
>
> + result |= known_str[j % mod_len] ^ user_str[j];
>
> result |= known_str[j % known_len] ^ user_str[j % user_len];
> + }
>
Regards,
--
Yasuo Ohgaki
[email protected]