katolaz
/
cgit-70
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

auth: lua string comparisons are time invariant

Browse Source 
By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
upstream
Jason A. Donenfeld 11 years ago
parent b826537cb4
commit df00ab1096
1 changed files with 2 additions and 2 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      filters/simple-authentication.lua

4
filters/simple-authentication.lua
Unescape View File

@ -45,7 +45,7 @@ function authenticate_post()
redirect_to(redirect) redirect_to(redirect)
-- TODO: Implement time invariant string comparison function to mitigate timing attack. -- Lua hashes strings, so these comparisons are time invariant.
if password == nil or password ~= post["password"] then if password == nil or password ~= post["password"] then
set_cookie("cgitauth", "") set_cookie("cgitauth", "")
else else
@ -222,7 +222,7 @@ function validate_value(cookie)
return nil return nil
end end
-- TODO: implement time invariant comparison to prevent against timing attack. -- Lua hashes strings, so these comparisons are time invariant.
if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
return nil return nil
end end

Write Preview
Loading…
Cancel
Save