neocgit

a more 'modern' version of cgit
Log | Files | Refs | Submodules | README | LICENSE | git clone https://git.ne02ptzero.me/git/neocgit

commit df00ab1096868b3cffe563c48de5572f78b50392
parent b826537cb4aa2358027ffcb1dd6a87274734e962
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Thu, 16 Jan 2014 19:47:35 +0100

auth: lua string comparisons are time invariant

By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Diffstat:
Mfilters/simple-authentication.lua | 4++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua @@ -45,7 +45,7 @@ function authenticate_post() redirect_to(redirect) - -- TODO: Implement time invariant string comparison function to mitigate timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if password == nil or password ~= post["password"] then set_cookie("cgitauth", "") else @@ -222,7 +222,7 @@ function validate_value(cookie) return nil end - -- TODO: implement time invariant comparison to prevent against timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end