Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
policy: Use timing-safe string comparison
[ upstream commit 1e298fa ] When validating the input header value against a secret, it is advisable to use a timing-safe string comparison operator with a runtime that is independent of the number of equivalent prefix bytes of the secret and header value. This commit is to use CRYPTO_memcmp function[^1] for string comparison, similar to what is done in envoy codebase. [^1]: https://github.com/openssl/openssl/blob/master/doc/man3/CRYPTO_memcmp.pod Signed-off-by: Tam Mach <tam.mach@cilium.io>
- Loading branch information