auth: lua string comparisons are time invariant

By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d080f87e0388a2dfdcf9b8b1586f93c186d5..5c4f074b8b1a6d84572aeeac3eb507f88aa2eca3 100644 (file)
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -45,7 +45,7 @@ function authenticate_post()
 
        redirect_to(redirect)
 
 
        redirect_to(redirect)
 

-       -- TODO: Implement time invariant string comparison function to mitigate timing attack.
+       -- Lua hashes strings, so these comparisons are time invariant.

        if password == nil or password ~= post["password"] then
                set_cookie("cgitauth", "")
        else
        if password == nil or password ~= post["password"] then
                set_cookie("cgitauth", "")
        else


@@ -222,7 +222,7 @@ function validate_value(cookie)
                return nil
        end
 
                return nil
        end
 

-       -- TODO: implement time invariant comparison to prevent against timing attack.
+       -- Lua hashes strings, so these comparisons are time invariant.

        if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end
        if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end