I've just uncovered something that is probably documented elsewhere, and
known to many, but I hadn't discovered it until doing some unit tests on an
authentication library I'm working on.
When using the ConstantTimeCompare (
http://golang.org/pkg/crypto/subtle/#ConstantTimeCompare) function from the
crypto/subtle package, make sure neither input is an empty byte slice.
If the first parameter is an empty byte slice, and the second isn't, the
function will return "1" when the docs say "returns 1 iff the two equal
length slices, x and y, have equal contents".
If the second parameter is an empty byte slice, and the first isn't, the
function will panic.
See http://play.golang.org/p/r11-td_-BJ for an example.
I'm not sure if this is a bug, or if it's included under "require careful
thought to use correctly".
It's easily avoided by making sure that the len() of the input slices isn't
0, but it had me stumped for a while!
Am I right in saying that this isn't mentioned anywhere in the standard
docs? Or have I just missed it?
Thanks and regards,
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
For more options, visit https://groups.google.com/groups/opt_out.