From df00ab1096868b3cffe563c48de5572f78b50392 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 16 Jan 2014 19:47:35 +0100
Subject: auth: lua string comparisons are time invariant

By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 filters/simple-authentication.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'filters')

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d08..5c4f074 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
 
 	redirect_to(redirect)
 
-	-- TODO: Implement time invariant string comparison function to mitigate timing attack.
+	-- Lua hashes strings, so these comparisons are time invariant.
 	if password == nil or password ~= post["password"] then
 		set_cookie("cgitauth", "")
 	else
@@ -222,7 +222,7 @@ function validate_value(cookie)
 		return nil
 	end
 
-	-- TODO: implement time invariant comparison to prevent against timing attack.
+	-- Lua hashes strings, so these comparisons are time invariant.
 	if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
-- 
cgit v1.2.3