diff options
| author |  jvoisin <julien.voisin@dustri.org>
| 2024-03-04 00:08:55 +0100 |
|---|---|---|
| committer |  Frédéric Guillot <f@miniflux.net>
| 2024-03-03 20:28:13 -0800 |
| commit | d55b41080062915e728b6afb75f5623927f100f7 (patch) | |
| tree | 2e2633259c7398f09df6e94a314095b7a989cfe8 /internal/crypto/crypto.go | |
| parent | 9fe99ce7fa99c3b1acd9b7894fcc8350e2564d97 (diff) | |
| download | v2-d55b41080062915e728b6afb75f5623927f100f7.tar.gz v2-d55b41080062915e728b6afb75f5623927f100f7.tar.zst v2-d55b41080062915e728b6afb75f5623927f100f7.zip | |
Use constant-time comparison for anti-csrf tokens
This is probably completely overkill, but since anti-csrf tokens are secrets,
they should be compared against untrusted inputs in constant time.
Diffstat (limited to 'internal/crypto/crypto.go')
| -rw-r--r-- | internal/crypto/crypto.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go index 4c195508..0b0ab6c6 100644 --- a/internal/crypto/crypto.go +++ b/internal/crypto/crypto.go @@ -7,6 +7,7 @@ import ( "crypto/hmac" "crypto/rand" "crypto/sha256" + "crypto/subtle" "encoding/base64" "encoding/hex" "fmt" @@ -60,3 +61,7 @@ func GenerateUUID() string { b := GenerateRandomBytes(16) return fmt.Sprintf("%X-%X-%X-%X-%X", b[0:4], b[4:6], b[6:8], b[8:10], b[10:]) } + +func ConstantTimeCmp(a, b string) bool { + return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1 +} |