FAQ
Hi all,

I've just uncovered something that is probably documented elsewhere, and
known to many, but I hadn't discovered it until doing some unit tests on an
authentication library I'm working on.

When using the ConstantTimeCompare (
http://golang.org/pkg/crypto/subtle/#ConstantTimeCompare) function from the
crypto/subtle package, make sure neither input is an empty byte slice.

If the first parameter is an empty byte slice, and the second isn't, the
function will return "1" when the docs say "returns 1 iff the two equal
length slices, x and y, have equal contents".

If the second parameter is an empty byte slice, and the first isn't, the
function will panic.

See http://play.golang.org/p/r11-td_-BJ for an example.

I'm not sure if this is a bug, or if it's included under "require careful
thought to use correctly".

It's easily avoided by making sure that the len() of the input slices isn't
0, but it had me stumped for a while!

Am I right in saying that this isn't mentioned anywhere in the standard
docs? Or have I just missed it?

Thanks and regards,

Mike.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Agl at May 12, 2013 at 12:51 pm

    On Sunday, May 12, 2013 4:55:53 AM UTC-4, Mike Hughes wrote:

    If the first parameter is an empty byte slice, and the second isn't, the
    function will return "1" when the docs say "returns 1 iff the two equal
    length slices, x and y, have equal contents".
    If your two inputs to ConstantTimeCompare are not of equal length, as
    required, then odd things will happen.


    Cheers

    AGL

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Mike Hughes at May 12, 2013 at 12:57 pm
    Aha!

    I assumed that the function would check that they were of equal length, and
    produce an error if they weren't. Reading the source I can see that it
    doesn't.

    Thanks for the clarification. I'll make sure the inputs are equal length
    before comparing.

    Mike.


    On Sunday, 12 May 2013 22:51:12 UTC+10, agl wrote:
    On Sunday, May 12, 2013 4:55:53 AM UTC-4, Mike Hughes wrote:

    If the first parameter is an empty byte slice, and the second isn't, the
    function will return "1" when the docs say "returns 1 iff the two equal
    length slices, x and y, have equal contents".
    If your two inputs to ConstantTimeCompare are not of equal length, as
    required, then odd things will happen.


    Cheers

    AGL
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedMay 12, '13 at 8:56a
activeMay 12, '13 at 12:57p
posts3
users2
websitegolang.org

2 users in discussion

Mike Hughes: 2 posts Agl: 1 post

People

Translate

site design / logo © 2022 Grokbase