pimhwang
/
spreed-webrtc
mirror of https://github.com/strukturag/spreed-webrtc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Compare HMACs in constant time to mitigate timing attack

pull/309/head
Leon Klingele 9 years ago
parent
8888a496c5
commit
ed044a3d8b
1 changed files with 2 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      go/channelling/server/users.go

3
go/channelling/server/users.go
Unescape View File

@ -26,6 +26,7 @@ import ( @@ -26,6 +26,7 @@ import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"crypto/subtle"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
@ -95,7 +96,7 @@ func (uh *UsersSharedsecretHandler) Validate(snr *SessionNonceRequest, request * @@ -95,7 +96,7 @@ func (uh *UsersSharedsecretHandler) Validate(snr *SessionNonceRequest, request *
}
secret := uh.createHMAC(snr.UseridCombo)
if snr.Secret != secret {
if subtle.ConstantTimeCompare([]byte(snr.Secret), []byte(secret)) != 1 {
return "", errors.New("invalid secret")
}

Write Preview
Loading…
Cancel
Save