Skip to content
Permalink
Browse files Browse the repository at this point in the history
Preventing timing attacks
- By using ConstantTimeCompare

Reviewed by:
Testing:
Tickets:
Backport:
  • Loading branch information
Agniva De Sarker committed Oct 10, 2014
1 parent aef3aad commit 477c10c
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions scrypt.go
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"crypto/rand"
"crypto/sha256"
"crypto/subtle"
"encoding/binary"
"log"

Expand Down Expand Up @@ -117,8 +118,12 @@ func VerifyPassphrase(passphrase string, keylen_bytes int, target_key []byte) (r
}
source_hash := hash_digest.Sum(nil)

result = bytes.Equal(source_master_key, target_master_key) &&
bytes.Equal(target_hash, source_hash)
// ConstantTimeCompare returns ints. Converting it to bool
key_comp := subtle.ConstantTimeCompare(source_master_key,
target_master_key) != 0
hash_comp := subtle.ConstantTimeCompare(target_hash,
source_hash) != 0
result = key_comp && hash_comp
return
}

Expand Down

0 comments on commit 477c10c

Please sign in to comment.