use constant time when authenticating users

[#161248339] Signed-off-by: Jack Newberry <[email protected]> Co-authored-by: Jack Newberry <[email protected]>
pivotal-cf · Oct 16, 2018 · c37f78a · c37f78a
1 parent 036a459
commit c37f78a
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/auth/auth.go b/auth/auth.go
@@ -15,18 +15,21 @@
 
 package auth
 
-import "net/http"
+import (
+ "crypto/sha256"
+ "crypto/subtle"
+ "net/http"
+)
 
 type Wrapper struct {
- username string
- password string
+ username []byte
+ password []byte
 }
 
 func NewWrapper(username, password string) *Wrapper {
- return &Wrapper{
- username: username,
- password: password,
- }
+ u := sha256.Sum256([]byte(username))
+ p := sha256.Sum256([]byte(password))
+ return &Wrapper{username: u[:], password: p[:]}
 }
 
 const notAuthorized = "Not Authorized"
@@ -55,5 +58,9 @@ func (wrapper *Wrapper) WrapFunc(handlerFunc http.HandlerFunc) http.HandlerFunc
 
 func authorized(wrapper *Wrapper, r *http.Request) bool {
  username, password, isOk := r.BasicAuth()
- return isOk && username == wrapper.username && password == wrapper.password
+ u := sha256.Sum256([]byte(username))
+ p := sha256.Sum256([]byte(password))
+ return isOk &&
+ subtle.ConstantTimeCompare(wrapper.username, u[:]) == 1 &&
+ subtle.ConstantTimeCompare(wrapper.password, p[:]) == 1
 }