Implement constant time string compare for token
The sessions implementation previously used operator== for session
comparisons. While unlikely to be attackable in the current
implementation, due to the time smearing in a number of cases, modern
security practices recommend using constant time comparison.
Tested By:
Logged into the webui, and observed no change to login flows. Logged
into redfish using Token Auth, and observed no changes. Closed a
previous session, then reopened with the new session information to
verify user sessions are restored properly and still work.
Change-Id: Ie759e4da67ba004fd8c327f177951ac756ea6799
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/http/utility.h b/http/utility.h
index 3ea5806..ee88e5a 100644
--- a/http/utility.h
+++ b/http/utility.h
@@ -2,6 +2,8 @@
#include "nlohmann/json.hpp"
+#include <openssl/crypto.h>
+
#include <cstdint>
#include <cstring>
#include <functional>
@@ -779,5 +781,25 @@
return getDateTime(time);
}
+inline bool constantTimeStringCompare(const std::string_view a,
+ const std::string_view b)
+{
+ // Important note, this function is ONLY constant time if the two input
+ // sizes are the same
+ if (a.size() != b.size())
+ {
+ return false;
+ }
+ return CRYPTO_memcmp(a.data(), b.data(), a.size()) == 0;
+}
+
+struct ConstantTimeCompare
+{
+ bool operator()(const std::string_view a, const std::string_view b) const
+ {
+ return constantTimeStringCompare(a, b);
+ }
+};
+
} // namespace utility
} // namespace crow