using bytes.Compare in MAC validation leaks timing information

Question

dgryski opened this issue 10 years ago · 3 comments

Answer 1 · 2015-04-15T00:34:29.000Z

The code is already using hmac. Use hmac.Equal instead.

Answer 2 · 2015-04-15T00:53:44.000Z

@dgryski Thanks for the catch. Is the PR the right fix?

Answer 3 · 2015-04-15T00:56:55.000Z

Looks good to me.