Use constant-time token verification in API (#1690)
Fixes #1641. The size of the token can be leaked, even if we pad or cut user's input we can't make it indistinguishable form the normal case.
This commit is contained in:
committed by
Quentin Le Sceller
parent
7e7697bf4b
commit
8ee8043fd9
+5
-2
@@ -15,6 +15,7 @@
|
||||
use futures::future::ok;
|
||||
use hyper::header::{HeaderValue, AUTHORIZATION, WWW_AUTHENTICATE};
|
||||
use hyper::{Body, Request, Response, StatusCode};
|
||||
use ring::constant_time::verify_slices_are_equal;
|
||||
use router::{Handler, HandlerObj, ResponseFuture};
|
||||
|
||||
// Basic Authentication Middleware
|
||||
@@ -38,8 +39,10 @@ impl Handler for BasicAuthMiddleware {
|
||||
req: Request<Body>,
|
||||
mut handlers: Box<Iterator<Item = HandlerObj>>,
|
||||
) -> ResponseFuture {
|
||||
if req.headers().contains_key(AUTHORIZATION)
|
||||
&& req.headers()[AUTHORIZATION] == self.api_basic_auth
|
||||
if req.headers().contains_key(AUTHORIZATION) && verify_slices_are_equal(
|
||||
req.headers()[AUTHORIZATION].as_bytes(),
|
||||
&self.api_basic_auth.as_bytes(),
|
||||
).is_ok()
|
||||
{
|
||||
handlers.next().unwrap().call(req, handlers)
|
||||
} else {
|
||||
|
||||
@@ -27,6 +27,7 @@ extern crate hyper;
|
||||
#[macro_use]
|
||||
extern crate lazy_static;
|
||||
extern crate regex;
|
||||
extern crate ring;
|
||||
extern crate serde;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
|
||||
Reference in New Issue
Block a user