Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/subtle: ConstantTimeCompare does not barf if slice lengths are unequal #7304

Closed
hanwen opened this issue Feb 11, 2014 · 5 comments
Closed

crypto/subtle: ConstantTimeCompare does not barf if slice lengths are unequal #7304

hanwen opened this issue Feb 11, 2014 · 5 comments
Labels
FrozenDueToAge

Comments

@hanwen
Copy link
Contributor

hanwen commented Feb 11, 2014 

http://play.golang.org/p/12ZtQewpMz

What is the expected output?

I expect symmetrical behavior, and since the use is incorrect, it would be good to
panic. If somebody puts attacker controlled data in the first arg misuse would be
disastrous.


What do you see instead?

if the 2nd argument is smaller than the 1st => crash
if the 1st argument is smaller than the 2nd => success
@bradfitz
Copy link
Contributor

Comment 1:

Adam?

Labels changed: added repo-main.

Owner changed to @agl.

@agl
Copy link
Contributor

agl commented Feb 12, 2014

Comment 2:

Hmm. I rather think that users of 'subtle' should be paying attention to the docs at
least.
But perhaps this is too subtle even for 'subtle'.
https://golang.org/cl/62190043 out for review.

@agl
Copy link
Contributor

agl commented Feb 12, 2014

Comment 3:

This issue was closed by revision 384f438.

Status changed to Fixed.

@ianlancetaylor
Copy link
Contributor

Comment 4:

Issue #8131 has been merged into this issue.

@gopherbot
Copy link

Comment 5:

CL https://golang.org/cl/118750043 mentions this issue.

@ianlancetaylor ianlancetaylor mentioned this issue Dec 8, 2014
Closed
@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bradfitz @agl @hanwen @ianlancetaylor @gopherbot