Fixed timing attack in cookie validation.
- Changed from using string == to hmac.Equal - See more details here: http://verboselogging.com/2012/08/20/a-timing-attack-in-action
This commit is contained in:
parent
2f165345a8
commit
ad57a9391f
13
cookies.go
13
cookies.go
@ -18,7 +18,7 @@ func validateCookie(cookie *http.Cookie, seed string) (string, bool) {
|
|||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
sig := cookieSignature(seed, cookie.Name, parts[0], parts[1])
|
sig := cookieSignature(seed, cookie.Name, parts[0], parts[1])
|
||||||
if parts[2] == sig {
|
if checkHmac(parts[2], sig) {
|
||||||
ts, err := strconv.Atoi(parts[1])
|
ts, err := strconv.Atoi(parts[1])
|
||||||
if err == nil && int64(ts) > time.Now().Add(time.Duration(24)*7*time.Hour*-1).Unix() {
|
if err == nil && int64(ts) > time.Now().Add(time.Duration(24)*7*time.Hour*-1).Unix() {
|
||||||
// it's a valid cookie. now get the contents
|
// it's a valid cookie. now get the contents
|
||||||
@ -48,3 +48,14 @@ func cookieSignature(args ...string) string {
|
|||||||
b = h.Sum(b)
|
b = h.Sum(b)
|
||||||
return base64.URLEncoding.EncodeToString(b)
|
return base64.URLEncoding.EncodeToString(b)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func checkHmac(input, expected string) bool {
|
||||||
|
inputMAC, err1 := base64.URLEncoding.DecodeString(input)
|
||||||
|
if err1 == nil {
|
||||||
|
expectedMAC, err2 := base64.URLEncoding.DecodeString(expected)
|
||||||
|
if err2 == nil {
|
||||||
|
return hmac.Equal(inputMAC, expectedMAC)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user