[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [goptlib/master] Use constant-time compare for auth cookie header.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [goptlib/master] Use constant-time compare for auth cookie header.
From: dcf@xxxxxxxxxxxxxx
Date: Sun, 10 Nov 2013 03:11:28 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 09 Nov 2013 22:11:17 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: David Fifield <david@xxxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit c00891640650bc553f7c4e7eb12ba43cce23f273
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date:   Sat Nov 9 17:08:58 2013 -0800

    Use constant-time compare for auth cookie header.
    
    Why not.
---
 pt.go |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pt.go b/pt.go
index d64f169..a8bd001 100644
--- a/pt.go
+++ b/pt.go
@@ -338,7 +338,7 @@ func readAuthCookie(f io.Reader) ([]byte, error) {
 	}
 	header := buf[0:32]
 	cookie := buf[32:64]
-	if !bytes.Equal(header, authCookieHeader) {
+	if subtle.ConstantTimeCompare(header, authCookieHeader) != 1 {
 		return nil, errors.New(fmt.Sprintf("missing auth cookie header"))
 	}
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [goptlib/master] Read the auth cookie file in one operation.
Next by Author: [tor-commits] [goptlib/master] Use generic io.Reader and io.Writer.
Previous by thread: [tor-commits] [goptlib/master] Read the auth cookie file in one operation.
Next by thread: [tor-commits] [goptlib/master] Use generic io.Reader and io.Writer.
Index(es):
- Author
- Thread