diff options
Diffstat (limited to 'filters/simple-authentication.lua')
| -rw-r--r-- | filters/simple-authentication.lua | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..5c4f074 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
| @@ -45,7 +45,7 @@ function authenticate_post() | |||
| 45 | 45 | ||
| 46 | redirect_to(redirect) | 46 | redirect_to(redirect) |
| 47 | 47 | ||
| 48 | -- TODO: Implement time invariant string comparison function to mitigate timing attack. | 48 | -- Lua hashes strings, so these comparisons are time invariant. |
| 49 | if password == nil or password ~= post["password"] then | 49 | if password == nil or password ~= post["password"] then |
| 50 | set_cookie("cgitauth", "") | 50 | set_cookie("cgitauth", "") |
| 51 | else | 51 | else |
| @@ -222,7 +222,7 @@ function validate_value(cookie) | |||
| 222 | return nil | 222 | return nil |
| 223 | end | 223 | end |
| 224 | 224 | ||
| 225 | -- TODO: implement time invariant comparison to prevent against timing attack. | 225 | -- Lua hashes strings, so these comparisons are time invariant. |
| 226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then | 226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then |
| 227 | return nil | 227 | return nil |
| 228 | end | 228 | end |