alexedwards
commented
5 years ago Thanks for both the PR and the information, ConstantTimeEq was new to me :+1:
Closed darccio closed 5 years ago
alexedwards
commented
5 years ago Thanks for both the PR and the information, ConstantTimeEq was new to me :+1:
According to this SO comment 1 and its attached source code, ConstantTimeCompare has a "subtle" behavior that could possible leak the length of compared data.
In order to fix this we should check both lengths using ConstantTimeEq.