Make authentication check time-constant.

This commit is contained in:
Josh Rickmar 2013-12-05 13:21:51 -05:00
parent 786409d06e
commit bbb10dc387

View file

@ -11,7 +11,9 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha256"
_ "crypto/sha512" // for cert generation _ "crypto/sha512" // for cert generation
"crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
@ -52,10 +54,9 @@ type rpcServer struct {
started int32 started int32
shutdown int32 shutdown int32
server *server server *server
authsha [sha256.Size]byte
ws wsContext ws wsContext
wg sync.WaitGroup wg sync.WaitGroup
username string
password string
listeners []net.Listener listeners []net.Listener
quit chan int quit chan int
} }
@ -276,32 +277,21 @@ func (s *rpcServer) Start() {
rpcServeMux := http.NewServeMux() rpcServeMux := http.NewServeMux()
httpServer := &http.Server{Handler: rpcServeMux} httpServer := &http.Server{Handler: rpcServeMux}
rpcServeMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { rpcServeMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
login := s.username + ":" + s.password if err := s.checkAuth(r); err != nil {
auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
authhdr := r.Header["Authorization"]
if len(authhdr) > 0 && authhdr[0] == auth {
jsonRPCRead(w, r, s)
} else {
rpcsLog.Warnf("Auth failure.")
jsonAuthFail(w, r, s) jsonAuthFail(w, r, s)
return
} }
jsonRPCRead(w, r, s)
}) })
go s.walletListenerDuplicator() go s.walletListenerDuplicator()
wsServer := websocket.Server{ rpcServeMux.HandleFunc("/wallet", func(w http.ResponseWriter, r *http.Request) {
Handler: websocket.Handler(func(ws *websocket.Conn) { if err := s.checkAuth(r); err != nil {
s.walletReqsNotifications(ws) http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
}), return
Handshake: func(_ *websocket.Config, r *http.Request) error { }
login := s.username + ":" + s.password websocket.Handler(s.walletReqsNotifications).ServeHTTP(w, r)
auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login)) })
authhdr := r.Header["Authorization"]
if len(authhdr) <= 0 || authhdr[0] != auth {
return errors.New("auth failure")
}
return nil
},
}
rpcServeMux.Handle("/wallet", wsServer)
for _, listener := range s.listeners { for _, listener := range s.listeners {
s.wg.Add(1) s.wg.Add(1)
go func(listener net.Listener) { go func(listener net.Listener) {
@ -313,6 +303,28 @@ func (s *rpcServer) Start() {
} }
} }
// checkAuth checks the HTTP Basic authentication supplied by a wallet
// or RPC client in the HTTP request r. If the supplied authentication
// does not match the username and password expected, a non-nil error is
// returned.
//
// This check is time-constant.
func (s *rpcServer) checkAuth(r *http.Request) error {
authhdr := r.Header["Authorization"]
if len(authhdr) <= 0 {
rpcsLog.Warnf("Auth failure.")
return errors.New("auth failure")
}
authsha := sha256.Sum256([]byte(authhdr[0]))
cmp := subtle.ConstantTimeCompare(authsha[:], s.authsha[:])
if cmp != 1 {
rpcsLog.Warnf("Auth failure.")
return errors.New("auth failure")
}
return nil
}
// Stop is used by server.go to stop the rpc listener. // Stop is used by server.go to stop the rpc listener.
func (s *rpcServer) Stop() error { func (s *rpcServer) Stop() error {
if atomic.AddInt32(&s.shutdown, 1) != 1 { if atomic.AddInt32(&s.shutdown, 1) != 1 {
@ -426,13 +438,13 @@ func genKey(key, cert string) error {
// newRPCServer returns a new instance of the rpcServer struct. // newRPCServer returns a new instance of the rpcServer struct.
func newRPCServer(listenAddrs []string, s *server) (*rpcServer, error) { func newRPCServer(listenAddrs []string, s *server) (*rpcServer, error) {
login := cfg.RPCUser + ":" + cfg.RPCPass
auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
rpc := rpcServer{ rpc := rpcServer{
server: s, authsha: sha256.Sum256([]byte(auth)),
quit: make(chan int), server: s,
quit: make(chan int),
} }
// Get values from config
rpc.username = cfg.RPCUser
rpc.password = cfg.RPCPass
// initialize memory for websocket connections // initialize memory for websocket connections
rpc.ws.connections = make(map[chan []byte]*requestContexts) rpc.ws.connections = make(map[chan []byte]*requestContexts)