simono41/ntfy-alertmanager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

basicAuthMiddleware: Protect against timing attacks

Browse source 
Compare strings of equal length (hashed with SHA-512) with
ConstantTimeCompare.

Closes: https://todo.xenrox.net/~xenrox/ntfy-alertmanager/1
This commit is contained in:
Thorben Günther 2022-10-13 13:08:54 +02:00
parent 9d0772b436
commit 1714bf5ed6
No known key found for this signature in database
GPG key ID: 415CD778D8C5AFED
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
main.go
View file

@ -1,6 +1,8 @@
package main package main
import ( import (
"crypto/sha512"
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"flag" "flag"
@ -169,7 +171,15 @@ func (rcv *receiver) basicAuthMiddleware(handler http.HandlerFunc) http.HandlerF
return return
} }
if user != rcv.cfg.User || pass != rcv.cfg.Password { inputUserHash := sha512.Sum512([]byte(user))
inputPassHash := sha512.Sum512([]byte(pass))
configUserHash := sha512.Sum512([]byte(rcv.cfg.User))
configPassHash := sha512.Sum512([]byte(rcv.cfg.Password))
validUser := subtle.ConstantTimeCompare(inputUserHash[:], configUserHash[:])
validPass := subtle.ConstantTimeCompare(inputPassHash[:], configPassHash[:])
if validUser != 1 || validPass != 1 {
http.Error(w, "Unauthorized", http.StatusUnauthorized) http.Error(w, "Unauthorized", http.StatusUnauthorized)
rcv.logger.Debug("basic auth: wrong user or password") rcv.logger.Debug("basic auth: wrong user or password")
return return