auth: lua string comparisons are time invariant

By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17 03:47:35 (JST)
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17 03:47:35 (JST)
commit: df00ab1096868b3cffe563c48de5572f78b50392 (patch)
tree: e58f6e5dbc25e06f96b3b59bc8349b7cf75e7677 /filters
parent: b826537cb4aa2358027ffcb1dd6a87274734e962 (diff)
download: cgit-df00ab1096868b3cffe563c48de5572f78b50392.zip
cgit-df00ab1096868b3cffe563c48de5572f78b50392.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d08..5c4f074 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
        redirect_to(redirect)
-        -- TODO: Implement time invariant string comparison function to mitigate timing attack.
+        -- Lua hashes strings, so these comparisons are time invariant.
        if password == nil or password ~= post["password"] then
                set_cookie("cgitauth", "")
        else
@@ -222,7 +222,7 @@ function validate_value(cookie)
                return nil
        end
-        -- TODO: implement time invariant comparison to prevent against timing attack.
+        -- Lua hashes strings, so these comparisons are time invariant.
        if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end
author	Jason A. Donenfeld <Jason@zx2c4.com>	2014-01-17 03:47:35 (JST)
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2014-01-17 03:47:35 (JST)
commit	df00ab1096868b3cffe563c48de5572f78b50392 (patch)
tree	e58f6e5dbc25e06f96b3b59bc8349b7cf75e7677 /filters
parent	b826537cb4aa2358027ffcb1dd6a87274734e962 (diff)
download	cgit-df00ab1096868b3cffe563c48de5572f78b50392.zip cgit-df00ab1096868b3cffe563c48de5572f78b50392.tar.gz

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..5c4f074 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
45		45
46	redirect_to(redirect)	46	redirect_to(redirect)
47		47
48	-- TODO: Implement time invariant string comparison function to mitigate timing attack.	48	-- Lua hashes strings, so these comparisons are time invariant.
49	if password == nil or password ~= post["password"] then	49	if password == nil or password ~= post["password"] then
50	set_cookie("cgitauth", "")	50	set_cookie("cgitauth", "")
51	else	51	else
@@ -222,7 +222,7 @@ function validate_value(cookie)
222	return nil	222	return nil
223	end	223	end
224		224
225	-- TODO: implement time invariant comparison to prevent against timing attack.	225	-- Lua hashes strings, so these comparisons are time invariant.
226	if hmac ~= crypto.hmac.digest("sha1", value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then	226	if hmac ~= crypto.hmac.digest("sha1", value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then
227	return nil	227	return nil
228	end	228	end