diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-17 03:47:35 (JST) |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-17 03:47:35 (JST) |
commit | df00ab1096868b3cffe563c48de5572f78b50392 (patch) | |
tree | e58f6e5dbc25e06f96b3b59bc8349b7cf75e7677 | |
parent | b826537cb4aa2358027ffcb1dd6a87274734e962 (diff) | |
download | cgit-df00ab1096868b3cffe563c48de5572f78b50392.zip cgit-df00ab1096868b3cffe563c48de5572f78b50392.tar.gz |
auth: lua string comparisons are time invariant
By default, strings are compared by hash, so we can remove this comment.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | filters/simple-authentication.lua | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..5c4f074 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
@@ -45,7 +45,7 @@ function authenticate_post() | |||
45 | 45 | ||
46 | redirect_to(redirect) | 46 | redirect_to(redirect) |
47 | 47 | ||
48 | -- TODO: Implement time invariant string comparison function to mitigate timing attack. | 48 | -- Lua hashes strings, so these comparisons are time invariant. |
49 | if password == nil or password ~= post["password"] then | 49 | if password == nil or password ~= post["password"] then |
50 | set_cookie("cgitauth", "") | 50 | set_cookie("cgitauth", "") |
51 | else | 51 | else |
@@ -222,7 +222,7 @@ function validate_value(cookie) | |||
222 | return nil | 222 | return nil |
223 | end | 223 | end |
224 | 224 | ||
225 | -- TODO: implement time invariant comparison to prevent against timing attack. | 225 | -- Lua hashes strings, so these comparisons are time invariant. |
226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then | 226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then |
227 | return nil | 227 | return nil |
228 | end | 228 | end |