diff options
-rw-r--r-- | filters/simple-authentication.lua | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..5c4f074 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
@@ -45,7 +45,7 @@ function authenticate_post() | |||
45 | 45 | ||
46 | redirect_to(redirect) | 46 | redirect_to(redirect) |
47 | 47 | ||
48 | -- TODO: Implement time invariant string comparison function to mitigate timing attack. | 48 | -- Lua hashes strings, so these comparisons are time invariant. |
49 | if password == nil or password ~= post["password"] then | 49 | if password == nil or password ~= post["password"] then |
50 | set_cookie("cgitauth", "") | 50 | set_cookie("cgitauth", "") |
51 | else | 51 | else |
@@ -222,7 +222,7 @@ function validate_value(cookie) | |||
222 | return nil | 222 | return nil |
223 | end | 223 | end |
224 | 224 | ||
225 | -- TODO: implement time invariant comparison to prevent against timing attack. | 225 | -- Lua hashes strings, so these comparisons are time invariant. |
226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then | 226 | if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then |
227 | return nil | 227 | return nil |
228 | end | 228 | end |