Make authentication check time-constant.

2013-12-05 11:59:08 -05:00 · 2013-12-05 11:59:08 -05:00 · 311276eae5
commit 311276eae5
parent a9cc0d4465
1 changed files with 40 additions and 21 deletions
--- a/sockets.go
+++ b/sockets.go
@ -21,7 +21,9 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	_ "crypto/sha512" // for cert generation
 	"crypto/subtle"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@ -100,18 +102,18 @@ var (
 // config, shutdown, etc.)
 type server struct {
 	port      string
 	username  string
 	password  string
 	wg        sync.WaitGroup
 	listeners []net.Listener
 	authsha   [sha256.Size]byte
 }
 // newServer returns a new instance of the server struct.
 func newServer() (*server, error) {
 	login := cfg.Username + ":" + cfg.Password
 	auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
 	s := server{
-		port:     cfg.SvrPort,
+		authsha: sha256.Sum256([]byte(auth)),
-		username: cfg.Username,
+		port:    cfg.SvrPort,
 		password: cfg.Password,
 	}
 	// Check for existence of cert file and key file
@ -663,24 +665,19 @@ func (s *server) Start() {
 	serveMux := http.NewServeMux()
 	httpServer := &http.Server{Handler: serveMux}
 	serveMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		if err := s.checkAuth(r); err != nil {
 			http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
 			return
 		}
 		s.handleRPCRequest(w, r)
 	})
-	wsServer := websocket.Server{
+	serveMux.HandleFunc("/frontend", func(w http.ResponseWriter, r *http.Request) {
-		Handler: websocket.Handler(func(ws *websocket.Conn) {
+		if err := s.checkAuth(r); err != nil {
-			frontendSendRecv(ws)
+			http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
-		}),
+			return
-		Handshake: func(_ *websocket.Config, r *http.Request) error {
+		}
-			login := s.username + ":" + s.password
+		websocket.Handler(frontendSendRecv).ServeHTTP(w, r)
-			auth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login))
+	})
 			authhdr := r.Header["Authorization"]
 			if len(authhdr) <= 0 || authhdr[0] != auth {
 				log.Infof("Frontend did not supply correct authentication.")
 				return errors.New("auth failure")
 			}
 			return nil
 		},
 	}
 	serveMux.Handle("/frontend", wsServer)
 	for _, listener := range s.listeners {
 		s.wg.Add(1)
 		go func(listener net.Listener) {
@ -692,6 +689,28 @@ func (s *server) Start() {
 	}
 }
 // checkAuth checks the HTTP Basic authentication supplied by a frontend
 // in the HTTP request r.  If the frontend's supplied authentication does
 // not match the username and password expected, a non-nil error is
 // returned.
 //
 // This check is time-constant.
 func (s *server) checkAuth(r *http.Request) error {
 	authhdr := r.Header["Authorization"]
 	if len(authhdr) <= 0 {
 		log.Infof("Frontend did not supply authentication.")
 		return errors.New("auth failure")
 	}
 	authsha := sha256.Sum256([]byte(authhdr[0]))
 	cmp := subtle.ConstantTimeCompare(authsha[:], s.authsha[:])
 	if cmp != 1 {
 		log.Infof("Frontend did not supply correct authentication.")
 		return errors.New("auth failure")
 	}
 	return nil
 }
 // BtcdConnect connects to a running btcd instance over a websocket
 // for sending and receiving chain-related messages, failing if the
 // connection cannot be established or is lost.