lndc: use constant time comparison to verify DH proof

2016-04-24 12:37:27 -07:00 · 2016-04-24 12:37:27 -07:00 · fc06c7bffb
commit fc06c7bffb
parent ea49b15e70
1 changed files with 3 additions and 2 deletions
--- a/lndc/conn.go
+++ b/lndc/conn.go
@ -3,6 +3,7 @@ package lndc
 import (
 	"bytes"
 	"crypto/cipher"
+	"crypto/hmac"
 	"encoding/binary"
 	"fmt"
 	"net"
@ -181,7 +182,7 @@ func (c *LNDConn) authPubKey(

 	// Verify that their proof matches our locally computed version.
 	theirDHproof := btcutil.Hash160(append(localEphPubBytes, idDH[:]...))
-	if bytes.Equal(resp, theirDHproof) == false {
+	if !hmac.Equal(resp, theirDHproof) {
 		return fmt.Errorf("invalid DH proof %x", theirDHproof)
 	}

@ -232,7 +233,7 @@ func (c *LNDConn) authPKH(
 	theirDHproof := btcutil.Hash160(append(localEphPubBytes, idDH[:]...))

 	// Verify that their DH proof matches the one we just generated.
-	if bytes.Equal(resp[33:], theirDHproof) == false {
+	if !hmac.Equal(resp[33:], theirDHproof) {
 		return fmt.Errorf("Invalid DH proof %x", theirDHproof)
 	}