Last active
April 26, 2019 10:37
-
-
Save AndrewCarterUK/7b730e2ce16c7546b33120e1688c901a to your computer and use it in GitHub Desktop.
Evaluation of whether the CompareStrings function within node.bcrypt.js is timing safe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <ctime> | |
| // Taken from https://github.com/kelektiv/node.bcrypt.js | |
| bool CompareStrings(const char* s1, const char* s2) { | |
| bool eq = true; | |
| int s1_len = strlen(s1); | |
| int s2_len = strlen(s2); | |
| if (s1_len != s2_len) { | |
| eq = false; | |
| } | |
| const int max_len = (s2_len < s1_len) ? s1_len : s2_len; | |
| // to prevent timing attacks, should check entire string | |
| // don't exit after found to be false | |
| for (int i = 0; i < max_len; ++i) { | |
| if (s1_len >= i && s2_len >= i && s1[i] != s2[i]) { | |
| eq = false; | |
| } | |
| } | |
| return eq; | |
| } | |
| int main(int argc, char *argv[]) | |
| { | |
| const char * Z = ""; | |
| const char * A1 = "abcdefghijklmnopqrstuvwxyz"; | |
| const char * A2 = "abcdefghijklmnopqrstuvwxyz"; | |
| const char * B1 = "zyxwvutsrqponmlkjihgfedcba"; | |
| const char * B2 = "zyxwvutsrqponmlkjihgfedcba"; | |
| const unsigned int number_of_tests = 100000000; | |
| unsigned int i; | |
| clock_t start, delta; | |
| // Print Header | |
| printf("s1\ts2\tt\n"); | |
| // Spin it around for a bit to get past any lag from the start | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(Z, Z); | |
| } | |
| // Z vs. A | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(Z, A1); | |
| } | |
| delta = clock() - start; | |
| printf("Z\tA\t%d\n", delta); | |
| // Z vs. B | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(Z, B1); | |
| } | |
| delta = clock() - start; | |
| printf("Z\tB\t%d\n", delta); | |
| // A vs. Z | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(A1, Z); | |
| } | |
| delta = clock() - start; | |
| printf("A\tZ\t%d\n", delta); | |
| // B vs. Z | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(B1, Z); | |
| } | |
| delta = clock() - start; | |
| printf("B\tZ\t%d\n", delta); | |
| // A vs. A | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(A1, A2); | |
| } | |
| delta = clock() - start; | |
| printf("A\tA\t%d\n", delta); | |
| // A vs. B | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(A1, B1); | |
| } | |
| delta = clock() - start; | |
| printf("A\tB\t%d\n", delta); | |
| // B vs. B | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(B1, B2); | |
| } | |
| delta = clock() - start; | |
| printf("B\tB\t%d\n", delta); | |
| // B vs. A | |
| start = clock(); | |
| for (i = 0; i < number_of_tests; i++) { | |
| CompareStrings(B1, A1); | |
| } | |
| delta = clock() - start; | |
| printf("B\tA\t%d\n", delta); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment