Mercurial > urweb
comparison src/cjr_print.sml @ 1512:dcc8abbc6dfd
Change cookie signature comparison to resist timing attacks (based on code suggested by Robin Green and Austin Seipp)
| author | Adam Chlipala <adam@chlipala.net> |
|---|---|
| date | Tue, 19 Jul 2011 09:18:50 -0400 |
| parents | ebc30bb262d0 |
| children | c4f39b49aa2d |
comparison
equal
deleted
inserted
replaced
| 1511:e717e2b56b21 | 1512:dcc8abbc6dfd |
|---|---|
| 2632 string ("uw_get_input(ctx, " ^ Int.toString inum ^ ")"), | 2632 string ("uw_get_input(ctx, " ^ Int.toString inum ^ ")"), |
| 2633 string ";", | 2633 string ";", |
| 2634 newline, | 2634 newline, |
| 2635 string "if (sig == NULL) uw_error(ctx, FATAL, \"Missing cookie signature\");", | 2635 string "if (sig == NULL) uw_error(ctx, FATAL, \"Missing cookie signature\");", |
| 2636 newline, | 2636 newline, |
| 2637 string "if (strcmp(sig, uw_cookie_sig(ctx)))", | 2637 string "if (!uw_streq(sig, uw_cookie_sig(ctx)))", |
| 2638 newline, | 2638 newline, |
| 2639 box [string "uw_error(ctx, FATAL, \"Wrong cookie signature\");", | 2639 box [string "uw_error(ctx, FATAL, \"Wrong cookie signature\");", |
| 2640 newline], | 2640 newline], |
| 2641 string "}", | 2641 string "}", |
| 2642 newline] | 2642 newline] |