Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/subtle: ConstantTimeCompare is wrong if x is zero length #6937

Closed
jmhodges opened this issue Dec 12, 2013 · 2 comments
Closed

crypto/subtle: ConstantTimeCompare is wrong if x is zero length #6937

jmhodges opened this issue Dec 12, 2013 · 2 comments

Comments

@jmhodges
Copy link
Contributor

This is maybe just supposed to be a documented constraint, but it just showed up when I
tried to say "well, go does this right".

  if (subtle.ConstantTimeCompare([]byte{}, []byte{'1'})) == 1) {
     t.Errorf("nope")
   }

If x is zero length, the returned byte is 1, instead of zero for any y input.

Also, I assume that x is supposed to be the array of unknown provenance (to prevent
attackers learning the length of y, that is secret), but that's not documented here.
@jmhodges
Copy link
Contributor Author

Comment 1:

(Oh, jeez, and if someone could correct my typo in this issue title, that would be
great.)

@ality
Copy link
Member

ality commented Dec 12, 2013

Comment 2:

This function only works for slices of equal length. This is noted in the documentation.
And the argument order doesn't matter. The convention in the standard library is to
place the local slice first and the attacker-controlled slice second.

Status changed to WorkingAsIntended.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants