[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [goptlib/master] Use constant-time compare for auth cookie header.
commit c00891640650bc553f7c4e7eb12ba43cce23f273
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date: Sat Nov 9 17:08:58 2013 -0800
Use constant-time compare for auth cookie header.
Why not.
---
pt.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pt.go b/pt.go
index d64f169..a8bd001 100644
--- a/pt.go
+++ b/pt.go
@@ -338,7 +338,7 @@ func readAuthCookie(f io.Reader) ([]byte, error) {
}
header := buf[0:32]
cookie := buf[32:64]
- if !bytes.Equal(header, authCookieHeader) {
+ if subtle.ConstantTimeCompare(header, authCookieHeader) != 1 {
return nil, errors.New(fmt.Sprintf("missing auth cookie header"))
}
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits