mirror of
https://git.zx2c4.com/cgit
synced 2024-11-22 00:18:41 +00:00
auth: lua string comparisons are time invariant
By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
b826537cb4
commit
df00ab1096
@ -45,7 +45,7 @@ function authenticate_post()
|
|||||||
|
|
||||||
redirect_to(redirect)
|
redirect_to(redirect)
|
||||||
|
|
||||||
-- TODO: Implement time invariant string comparison function to mitigate timing attack.
|
-- Lua hashes strings, so these comparisons are time invariant.
|
||||||
if password == nil or password ~= post["password"] then
|
if password == nil or password ~= post["password"] then
|
||||||
set_cookie("cgitauth", "")
|
set_cookie("cgitauth", "")
|
||||||
else
|
else
|
||||||
@ -222,7 +222,7 @@ function validate_value(cookie)
|
|||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
-- TODO: implement time invariant comparison to prevent against timing attack.
|
-- Lua hashes strings, so these comparisons are time invariant.
|
||||||
if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
|
if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user