core/go-crypt
8
0
Fork 0
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

security: use constant-time comparison for auth credentials
Some checks failed
Security Scan / security (push) Failing after 8s
Details
Test / test (push) Failing after 21s
Details

Browse source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Snider 2026-03-09 08:27:38 +00:00
parent 999b115315
commit e561e1ee1f
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
crypt/lthn/lthn.go
View file

@ -18,6 +18,7 @@ package lthn
import (
"crypto/sha256"
"crypto/subtle"
"encoding/hex"
)
@ -87,8 +88,8 @@ func createSalt(input string) string {
// Verify checks if an input string produces the given hash.
// Returns true if Hash(input) equals the provided hash value.
// Uses direct string comparison - for security-critical applications,
// consider using constant-time comparison.
// Uses constant-time comparison to prevent timing attacks.
func Verify(input string, hash string) bool {
return Hash(input) == hash
computed := Hash(input)
return subtle.ConstantTimeCompare([]byte(computed), []byte(hash)) == 1
}