letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use ConstantTimeCompare when comparing challenge.

This commit is contained in:
Jacob Hoffman-Andrews 2015-01-30 12:36:43 -08:00
parent 85e81901ae
commit eca3aeb6ed
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
validation-authority.go
View File

@ -6,9 +6,9 @@
package boulder
import (
"bytes"
"crypto/rand"
"crypto/sha256"
"crypto/subtle"
"crypto/tls"
"encoding/hex"
"fmt"
@ -82,7 +82,7 @@ func (va ValidationAuthorityImpl) validateSimpleHTTPS(authz Authorization) (chal
return
}
if bytes.Compare(body, []byte(challenge.Token)) == 0 {
if subtle.ConstantTimeCompare(body, []byte(challenge.Token)) == 1 {
challenge.Status = StatusValid
return
}