auth: lua string comparisons are time invariant By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jason A. Donenfeld Jason@zx2c4.com
Thu, 16 Jan 2014 19:47:35 +0100
1 files changed,
2 insertions(+),
2 deletions(-)
M
filters/simple-authentication.lua
→
filters/simple-authentication.lua
@@ -45,7 +45,7 @@ end
redirect_to(redirect) - -- TODO: Implement time invariant string comparison function to mitigate timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if password == nil or password ~= post["password"] then set_cookie("cgitauth", "") else@@ -222,7 +222,7 @@ if hmac == nil or hmac:len() == 0 then
return nil end - -- TODO: implement time invariant comparison to prevent against timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end