caddy/vendor/github.com/jimstudt/http-authentication/basic/util.go

package basic

import (
	"crypto/sha1"
	"crypto/subtle"
)

func constantTimeEquals(a string, b string) bool {
	// compare SHA-1 as a gatekeeper in constant time
	// then check that we didn't get by because of a collision
	aSha := sha1.Sum([]byte(a))
	bSha := sha1.Sum([]byte(b))
	if subtle.ConstantTimeCompare(aSha[:], bSha[:]) == 1 {
		// yes, this bit isn't constant, but you had to make a Sha1 collision to get here
		return a == b
	}
	return false
}
Vendor all dependencies (Warning: Huge changeset.) The vendor/ folder was created with the help of @FiloSottile's gvt and vendorcheck. Any dependencies of Caddy plugins outside this repo are not vendored. We do not remove any unused, vendored packages because vendorcheck -u only checks using the current build configuration; i.e. packages that may be imported by files toggled by build tags of other systems. CI tests have been updated to ignore the vendor/ folder. When Go 1.9 is released, a few of the go commands should be revised to again use ./... as it will ignore the vendor folder by default. 2017-05-27 14:30:11 -05:00			`package basic`

			`import (`
			`"crypto/sha1"`
			`"crypto/subtle"`
			`)`

			`func constantTimeEquals(a string, b string) bool {`
			`// compare SHA-1 as a gatekeeper in constant time`
			`// then check that we didn't get by because of a collision`
			`aSha := sha1.Sum([]byte(a))`
			`bSha := sha1.Sum([]byte(b))`
			`if subtle.ConstantTimeCompare(aSha[:], bSha[:]) == 1 {`
			`// yes, this bit isn't constant, but you had to make a Sha1 collision to get here`
			`return a == b`
			`}`
			`return false`
			`}`