2dfe7ee241
- Add constant-time token comparison utility (crypto/subtle) - Add SBOM generation and attestation to CI/CD pipeline - Document TLS enforcement, DNS security (DoH/DoT), and container hardening - Create Security Incident Response Plan (SIRP) - Add security update notification documentation Security enhancements: - Mitigates timing attacks on invite token validation - Provides supply chain transparency with CycloneDX SBOM - Documents production container hardening (read_only, cap_drop) Closes #365
22 lines
634 B
Go
22 lines
634 B
Go
package util
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
)
|
|
|
|
// ConstantTimeCompare compares two strings in constant time to prevent timing attacks.
|
|
// Returns true if the strings are equal, false otherwise.
|
|
// This should be used when comparing sensitive values like tokens.
|
|
func ConstantTimeCompare(a, b string) bool {
|
|
aBytes := []byte(a)
|
|
bBytes := []byte(b)
|
|
|
|
// subtle.ConstantTimeCompare returns 1 if equal, 0 if not
|
|
return subtle.ConstantTimeCompare(aBytes, bBytes) == 1
|
|
}
|
|
|
|
// ConstantTimeCompareBytes compares two byte slices in constant time.
|
|
func ConstantTimeCompareBytes(a, b []byte) bool {
|
|
return subtle.ConstantTimeCompare(a, b) == 1
|
|
}
|