pkg/auth: userpass: compare strings in constant time

Makes the http auth more secure against timing attacks.

Resolves #1205

Change-Id: I6069331d9a6da454a2e664a57cb425f53dea0016
This commit is contained in:
Philip Silva 2018-08-09 15:26:54 +02:00
parent f6280b16cd
commit 457a636722
1 changed files with 4 additions and 3 deletions

View File

@ -19,6 +19,7 @@ package auth // import "perkeep.org/pkg/auth"
import (
"crypto/rand"
"crypto/subtle"
"errors"
"fmt"
"net/http"
@ -242,11 +243,11 @@ type UserPass struct {
func (up *UserPass) AllowedAccess(req *http.Request) Operation {
user, pass, err := httputil.BasicAuth(req)
if err == nil {
if user == up.Username {
if pass == up.Password {
if subtle.ConstantTimeCompare([]byte(user), []byte(up.Username)) == 1 {
if subtle.ConstantTimeCompare([]byte(pass), []byte(up.Password)) == 1 {
return OpAll
}
if up.VivifyPass != nil && pass == *up.VivifyPass {
if up.VivifyPass != nil && subtle.ConstantTimeCompare([]byte(pass), []byte(*up.VivifyPass)) == 1 {
return OpVivify
}
}