Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
7 events for the month beginning 2011-10-01 by user dmitry
Following month ↑|
2011-10-24
| ||
| 18:15 | • Ticket [60211effbd] fossil mv nonexistentfile newfilename status still Open with 2 other changes artifact: 8d20eb300d user: dmitry | |
|
2011-10-04
| ||
| 15:20 | Add HMAC-SHA1 implementation. Leaf check-in: dcee34b25f user: dmitry tags: multisession | |
| 15:19 | • Edit [f4eb0f5afcb33598|f4eb0f5afc]: Mark "Closed". artifact: 0425a41e99 user: dmitry | |
| 15:15 | Merge protection against timing attacks into trunk. check-in: d4a341b49d user: dmitry tags: trunk | |
| 14:38 | Merge trunk into dmitry-security branch. Closed-Leaf check-in: f4eb0f5afc user: dmitry tags: dmitry-security | |
| 14:34 | Rename constant_time_eq to constant_time_cmp to better indicate that these functions return 0 when values are equal, like memcmp, strcmp, etc., not truth, to avoid possible mistakes. check-in: d244c484e7 user: dmitry tags: dmitry-security | |
| 14:28 | Revert the previous change after thinking more about it. Login cards in the sync protocol have the following format: login userid nonce signature Nonce is SHA-1 of the message that follows this line, signature is SHA-1 of the concatenation of the nonce and user's shared secret. The successful timing attack can reveal only signature for this particular packet due to nonce. However, as nonce is known to the attacker, it's theoretically possible for them to bruteforce the shared secret_offline_. The whole scenario sounds highly improbable, but using constant-time comparison function for such things by default is a good practice. check-in: 13a9a1244c user: dmitry tags: dmitry-security | |