Merge pull request #13 from polezaivsani/fix_timming_sidechannel

robbert229 · web-flow · commit ca1404ee6e83 · 2017-04-26T12:11:22.000-07:00
Spoil timming side-channel attack when comparing macs
diff --git a/algorithms.go b/algorithms.go
@@ -142,7 +142,7 @@ func (a *Algorithm) validateSignature(encoded string) error {
 
 	b64SignedAttempt := base64.RawURLEncoding.EncodeToString([]byte(signedAttempt))
 
-	if strings.Compare(b64Signature, b64SignedAttempt) != 0 {
+	if !hmac.Equal([]byte(b64Signature), []byte(b64SignedAttempt)) {
 		return errors.New("invalid signature")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,7 @@ func (a *Algorithm) validateSignature(encoded string) error {`
`142`	`142`
`143`	`143`	`b64SignedAttempt := base64.RawURLEncoding.EncodeToString([]byte(signedAttempt))`
`144`	`144`
`145`		`- if strings.Compare(b64Signature, b64SignedAttempt) != 0 {`
	`145`	`+ if !hmac.Equal([]byte(b64Signature), []byte(b64SignedAttempt)) {`
`146`	`146`	`return errors.New("invalid signature")`
`147`	`147`	`}`
`148`	`148`