Make authentication check time-constant.

This commit is contained in:
Josh Rickmar 2013-12-05 11:59:08 -05:00
parent a9cc0d4465
commit 311276eae5

View file

@ -21,7 +21,9 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha256"
_ "crypto/sha512" // for cert generation _ "crypto/sha512" // for cert generation
"crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
@ -100,18 +102,18 @@ var (
// config, shutdown, etc.) // config, shutdown, etc.)
type server struct { type server struct {
port string port string
username string
password string
wg sync.WaitGroup wg sync.WaitGroup
listeners []net.Listener listeners []net.Listener
authsha [sha256.Size]byte
} }
// newServer returns a new instance of the server struct. // newServer returns a new instance of the server struct.
func newServer() (*server, error) { func newServer() (*server, error) {
login := cfg.Username + ":" + cfg.Password
auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
s := server{ s := server{
authsha: sha256.Sum256([]byte(auth)),
port: cfg.SvrPort, port: cfg.SvrPort,
username: cfg.Username,
password: cfg.Password,
} }
// Check for existence of cert file and key file // Check for existence of cert file and key file
@ -663,24 +665,19 @@ func (s *server) Start() {
serveMux := http.NewServeMux() serveMux := http.NewServeMux()
httpServer := &http.Server{Handler: serveMux} httpServer := &http.Server{Handler: serveMux}
serveMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { serveMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
if err := s.checkAuth(r); err != nil {
http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
return
}
s.handleRPCRequest(w, r) s.handleRPCRequest(w, r)
}) })
wsServer := websocket.Server{ serveMux.HandleFunc("/frontend", func(w http.ResponseWriter, r *http.Request) {
Handler: websocket.Handler(func(ws *websocket.Conn) { if err := s.checkAuth(r); err != nil {
frontendSendRecv(ws) http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
}), return
Handshake: func(_ *websocket.Config, r *http.Request) error {
login := s.username + ":" + s.password
auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
authhdr := r.Header["Authorization"]
if len(authhdr) <= 0 || authhdr[0] != auth {
log.Infof("Frontend did not supply correct authentication.")
return errors.New("auth failure")
} }
return nil websocket.Handler(frontendSendRecv).ServeHTTP(w, r)
}, })
}
serveMux.Handle("/frontend", wsServer)
for _, listener := range s.listeners { for _, listener := range s.listeners {
s.wg.Add(1) s.wg.Add(1)
go func(listener net.Listener) { go func(listener net.Listener) {
@ -692,6 +689,28 @@ func (s *server) Start() {
} }
} }
// checkAuth checks the HTTP Basic authentication supplied by a frontend
// in the HTTP request r. If the frontend's supplied authentication does
// not match the username and password expected, a non-nil error is
// returned.
//
// This check is time-constant.
func (s *server) checkAuth(r *http.Request) error {
authhdr := r.Header["Authorization"]
if len(authhdr) <= 0 {
log.Infof("Frontend did not supply authentication.")
return errors.New("auth failure")
}
authsha := sha256.Sum256([]byte(authhdr[0]))
cmp := subtle.ConstantTimeCompare(authsha[:], s.authsha[:])
if cmp != 1 {
log.Infof("Frontend did not supply correct authentication.")
return errors.New("auth failure")
}
return nil
}
// BtcdConnect connects to a running btcd instance over a websocket // BtcdConnect connects to a running btcd instance over a websocket
// for sending and receiving chain-related messages, failing if the // for sending and receiving chain-related messages, failing if the
// connection cannot be established or is lost. // connection cannot be established or is lost.