From 9479394b876146d1aa3b5bebd64a16b9c1047815 Mon Sep 17 00:00:00 2001
From: Matt Silverlock <matt@eatsleeprepeat.net>
Date: Thu, 20 Aug 2015 16:26:03 +0800
Subject: Reverts d8773d3 - backports len check for subtle.ConstantTimeCompare.

---
 securecookie.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/securecookie.go b/securecookie.go
index a776889..be43e9d 100644
--- a/securecookie.go
+++ b/securecookie.go
@@ -372,7 +372,9 @@ func createMac(h hash.Hash, value []byte) []byte {
 // verifyMac verifies that a message authentication code (MAC) is valid.
 func verifyMac(h hash.Hash, value []byte, mac []byte) error {
 	mac2 := createMac(h, value)
-	if subtle.ConstantTimeCompare(mac, mac2) == 1 {
+	// Check that both MACs are of equal length, as subtle.ConstantTimeCompare
+	// does not do this prior to Go 1.4.
+	if len(mac) == len(mac2) && subtle.ConstantTimeCompare(mac, mac2) == 1 {
 		return nil
 	}
 	return ErrMacInvalid
-- 
cgit v1.2.3