Skip to content

Safe compare password (timing attack) #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2016
Merged

Safe compare password (timing attack) #338

merged 1 commit into from
Dec 3, 2016

Conversation

denji
Copy link
Contributor

@denji denji commented Dec 2, 2016
edited
Loading

Missing implementation ExternalUserLogin

  • LoginLDAP
  • LoginSMTP
  • LoginPAM

@denji denji changed the title Safe compare password (time attack) Safe compare password (timing attack) Dec 2, 2016
@strk
Copy link
Member

strk commented Dec 2, 2016

Just curious: how's == operator time dependant on password content ?

@tboerger tboerger added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 2, 2016
@strk
Copy link
Member

strk commented Dec 2, 2016

Got it: early exit on difference
REF: http://stackoverflow.com/questions/20663468/secure-compare-of-strings-in-go

As for this PR: LGTM

@tboerger tboerger added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 2, 2016
@Bwko
Copy link
Member

Bwko commented Dec 2, 2016

LGTM

@tboerger tboerger added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 2, 2016
@tboerger tboerger added this to the 1.0.0 milestone Dec 2, 2016
@tboerger tboerger added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Dec 2, 2016
@lunny lunny merged commit c8f300b into go-gitea:master Dec 3, 2016
@denji denji deleted the time_attack branch December 3, 2016 08:40
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@denji @strk @Bwko @lunny @tboerger