[tor-commits] [goptlib/master] Use constant-time compare for auth cookie header.
dcf at torproject.org
dcf at torproject.org
Sun Nov 10 03:11:28 UTC 2013
commit c00891640650bc553f7c4e7eb12ba43cce23f273
Author: David Fifield <david at bamsoftware.com>
Date: Sat Nov 9 17:08:58 2013 -0800
Use constant-time compare for auth cookie header.
Why not.
---
pt.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pt.go b/pt.go
index d64f169..a8bd001 100644
--- a/pt.go
+++ b/pt.go
@@ -338,7 +338,7 @@ func readAuthCookie(f io.Reader) ([]byte, error) {
}
header := buf[0:32]
cookie := buf[32:64]
- if !bytes.Equal(header, authCookieHeader) {
+ if subtle.ConstantTimeCompare(header, authCookieHeader) != 1 {
return nil, errors.New(fmt.Sprintf("missing auth cookie header"))
}
More information about the tor-commits
mailing list