pimhwang
/
spreed-webrtc
mirror of https://github.com/strukturag/spreed-webrtc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #309 from leonklingele/constant-time-hmac 

Compare HMACs in constant time to mitigate timing attack
pull/325/head
Simon Eisenmann 9 years ago committed by GitHub
parent
8888a496c5 ed044a3d8b
commit
68a1233fb6
1 changed files with 2 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      go/channelling/server/users.go

3
go/channelling/server/users.go
Unescape View File

@ -26,6 +26,7 @@ import (
"crypto/hmac" "crypto/hmac"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
@ -95,7 +96,7 @@ func (uh *UsersSharedsecretHandler) Validate(snr *SessionNonceRequest, request *
} }
secret := uh.createHMAC(snr.UseridCombo) secret := uh.createHMAC(snr.UseridCombo)
if snr.Secret != secret { if subtle.ConstantTimeCompare([]byte(snr.Secret), []byte(secret)) != 1 {
return "", errors.New("invalid secret") return "", errors.New("invalid secret")
} }

Write Preview
Loading…
Cancel
Save