aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Jason A. Donenfeld <Jason@zx2c4.com>2014-01-17 03:47:35 (JST)
committerGravatar Jason A. Donenfeld <Jason@zx2c4.com>2014-01-17 03:47:35 (JST)
commitdf00ab1096868b3cffe563c48de5572f78b50392 (patch)
treee58f6e5dbc25e06f96b3b59bc8349b7cf75e7677
parentb826537cb4aa2358027ffcb1dd6a87274734e962 (diff)
downloadcgit-df00ab1096868b3cffe563c48de5572f78b50392.zip
cgit-df00ab1096868b3cffe563c48de5572f78b50392.tar.gz
auth: lua string comparisons are time invariant
By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r--filters/simple-authentication.lua4
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d08..5c4f074 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
45 45
46 redirect_to(redirect) 46 redirect_to(redirect)
47 47
48 -- TODO: Implement time invariant string comparison function to mitigate timing attack. 48 -- Lua hashes strings, so these comparisons are time invariant.
49 if password == nil or password ~= post["password"] then 49 if password == nil or password ~= post["password"] then
50 set_cookie("cgitauth", "") 50 set_cookie("cgitauth", "")
51 else 51 else
@@ -222,7 +222,7 @@ function validate_value(cookie)
222 return nil 222 return nil
223 end 223 end
224 224
225 -- TODO: implement time invariant comparison to prevent against timing attack. 225 -- Lua hashes strings, so these comparisons are time invariant.
226 if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then 226 if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
227 return nil 227 return nil
228 end 228 end