Ensure verifySignature does not leak useful timing information

This avoids easy timing attacks against signature verification by double-hashing before comparing values. The information we leak after this patch is useless unless the hash function is completely broken. Closes #36
TritonDataCenter · Sep 21, 2015 · 78ab1da · 78ab1da
1 parent 5f13706
commit 78ab1da
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/lib/verify.js b/lib/verify.js
@@ -48,9 +48,23 @@ module.exports = {
     if (!alg || alg.length !== 2)
       throw new TypeError('parsedSignature: unsupported algorithm ' +
                           parsedSignature.algorithm);
+    var hashAlg = alg[1].toUpperCase();
 
-    var hmac = crypto.createHmac(alg[1].toUpperCase(), secret);
+    var hmac = crypto.createHmac(hashAlg, secret);
     hmac.update(parsedSignature.signingString);
-    return (hmac.digest('base64') === parsedSignature.params.signature);
+
+    /*
+     * Now double-hash to avoid leaking timing information - there's
+     * no easy constant-time compare in JS, so we use this approach
+     * instead. See for more info:
+     * https://www.isecpartners.com/blog/2011/february/double-hmac-
+     * verification.aspx
+     */
+    var h1 = crypto.createHmac(hashAlg, secret);
+    h1.update(hmac.digest());
+    var h2 = crypto.createHmac(hashAlg, secret);
+    h2.update(new Buffer(parsedSignature.params.signature, 'base64'));
+
+    return (h1.digest().equals(h2.digest()));
   }
 };