Make TsigVerify's MAC comparison take constant time
This commit is contained in:
parent
fd12a9cea4
commit
857a1c66cb
17
tsig.go
17
tsig.go
|
@ -217,12 +217,17 @@ func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// Srtip the TSIG from the incoming msg
|
||||
// Strip the TSIG from the incoming msg
|
||||
stripped, tsig, err := stripTsig(msg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
msgMAC, err := hex.DecodeString(tsig.MAC)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
buf := tsigBuffer(stripped, tsig, requestMAC, timersOnly)
|
||||
ti := uint64(time.Now().Unix()) - tsig.TimeSigned
|
||||
if uint64(tsig.Fudge) < ti {
|
||||
|
@ -232,16 +237,16 @@ func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
|
|||
var h hash.Hash
|
||||
switch tsig.Algorithm {
|
||||
case HmacMD5:
|
||||
h = hmac.New(md5.New, []byte(rawsecret))
|
||||
h = hmac.New(md5.New, rawsecret)
|
||||
case HmacSHA1:
|
||||
h = hmac.New(sha1.New, []byte(rawsecret))
|
||||
h = hmac.New(sha1.New, rawsecret)
|
||||
case HmacSHA256:
|
||||
h = hmac.New(sha256.New, []byte(rawsecret))
|
||||
h = hmac.New(sha256.New, rawsecret)
|
||||
default:
|
||||
return ErrKeyAlg
|
||||
}
|
||||
io.WriteString(h, string(buf))
|
||||
if strings.ToUpper(hex.EncodeToString(h.Sum(nil))) != strings.ToUpper(tsig.MAC) {
|
||||
h.Write(buf)
|
||||
if !hmac.Equal(h.Sum(nil), msgMAC) {
|
||||
return ErrSig
|
||||
}
|
||||
return nil
|
||||
|
|
Loading…
Reference in New Issue