myfaces-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lu4...@apache.org
Subject svn commit: r1003343 - /myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
Date Fri, 01 Oct 2010 01:10:13 GMT
Author: lu4242
Date: Fri Oct  1 01:10:12 2010
New Revision: 1003343

URL: http://svn.apache.org/viewvc?rev=1003343&view=rev
Log:
MYFACES-2934 Side-channel timing attack in StateUtils class may still allow padding oracle
attack

Modified:
    myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java

Modified: myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?rev=1003343&r1=1003342&r2=1003343&view=diff
==============================================================================
--- myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
(original)
+++ myfaces/shared/trunk_2.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
Fri Oct  1 01:10:12 2010
@@ -471,7 +471,13 @@ public final class StateUtils {
                 if (signedDigestHash[i] != secure[secure.length-macLenght+i])
                 {
                     isMacEqual = false;
-                    break;
+                    // MYFACES-2934 Must compare *ALL* bytes of the hash, 
+                    // otherwise a side-channel timing attack is theorically possible
+                    // but with a very very low probability, because the
+                    // comparison time is too small to be measured compared to
+                    // the overall request time and in real life applications,
+                    // there are too many uncertainties involved.
+                    //break;
                 }
             }
             if (!isMacEqual)



Mime
View raw message