From c37f78a8d452b14720dec383f1d48463568c520c Mon Sep 17 00:00:00 2001
From: Derik Evangelista <devangelista@pivotal.io>
Date: Tue, 16 Oct 2018 11:48:56 +0100
Subject: [PATCH] use constant time when authenticating users

[#161248339]

Signed-off-by: Jack Newberry <jnewberry@pivotal.io>
Co-authored-by: Jack Newberry <jnewberry@pivotal.io>
---
 auth/auth.go | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index 6741a72a..74e7799f 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -15,18 +15,21 @@
 
 package auth
 
-import "net/http"
+import (
+	"crypto/sha256"
+	"crypto/subtle"
+	"net/http"
+)
 
 type Wrapper struct {
-	username string
-	password string
+	username []byte
+	password []byte
 }
 
 func NewWrapper(username, password string) *Wrapper {
-	return &Wrapper{
-		username: username,
-		password: password,
-	}
+	u := sha256.Sum256([]byte(username))
+	p := sha256.Sum256([]byte(password))
+	return &Wrapper{username: u[:], password: p[:]}
 }
 
 const notAuthorized = "Not Authorized"
@@ -55,5 +58,9 @@ func (wrapper *Wrapper) WrapFunc(handlerFunc http.HandlerFunc) http.HandlerFunc
 
 func authorized(wrapper *Wrapper, r *http.Request) bool {
 	username, password, isOk := r.BasicAuth()
-	return isOk && username == wrapper.username && password == wrapper.password
+	u := sha256.Sum256([]byte(username))
+	p := sha256.Sum256([]byte(password))
+	return isOk &&
+		subtle.ConstantTimeCompare(wrapper.username, u[:]) == 1 &&
+		subtle.ConstantTimeCompare(wrapper.password, p[:]) == 1
 }