decrypt: the "constant time" comparison, wasn't

alexzorin · Jul 30, 2019 · eac435b · eac435b
1 parent 8b5c58d
commit eac435b
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/crypto.go b/crypto.go
@@ -6,6 +6,7 @@ import (
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/sha1"
+	"crypto/subtle"
 	"encoding/base32"
 	"encoding/base64"
 	"encoding/binary"
@@ -115,11 +116,12 @@ func decryptToken(encryptedSeedB64, salt, passphrase string) (string, error) {
 	if paddingLen > aes.BlockSize || paddingStart >= len(out) || paddingStart <= 0 {
 		return "", errors.New("decryption failed")
 	}
-	cmp := true
+
+	var cmp byte
 	for _, pad := range out[paddingStart:] {
-		cmp = cmp && pad == paddingLen
+		cmp |= pad ^ paddingLen
 	}
-	if !cmp {
+	if subtle.ConstantTimeByteEq(cmp, 0) != 1 {
 		return "", errors.New("decryption failed")
 	}