Susceptible to timing attack?
Closed this issue · 1 comments
i followed the model of the auth_basic module which steps through the password file's contents on every request and verifies the client's credentials against the file bytes as it goes. as a result, the current implementation could be vulnerable to timing attacks (since it returns as soon as it finds a match).
the simplest solution to this would seem to be adding a sleep(random()) delaying the response by a few (dozen? hundred?) milliseconds. i presume the non-blocking way to do this would be to use a timer?
a random timeout still seems like the best way to solve this problem, but i've had a devilishly hard time finding examples of how to add a delay without blocking the worker process. some discussion can be found here, but the thread is kind of a mess...
as a partial solution the passwd file reader now steps through every line in its entirety rather than bailing out as soon as a non-matching character is found in the username or realm. hopefully this combined with network latency make this attack no longer worth worrying about?
see commit.