commit 51dae67d0069281593a76e4ceb5f8ede1bc4abdc
author Ed Tanous <ed.tanous@intel.com> Wed Sep 05 16:07:32 2018 -0700
committer James Feist <james.feist@linux.intel.com> Mon Nov 18 21:27:43 2019 +0000
tree 1c731844a72da20749d609503e616d52560b8910
parent d500549b209761e46791458b49ce2fee5c8b682b

Implement constant time string compare for token

The sessions implementation previously used operator== for session
comparisons.  While unlikely to be attackable in the current
implementation, due to the time smearing in a number of cases, modern
security practices recommend using constant time comparison.

Tested By:
Logged into the webui, and observed no change to login flows.  Logged
into redfish using Token Auth, and observed no changes.  Closed a
previous session, then reopened with the new session information to
verify user sessions are restored properly and still work.

Change-Id: Ie759e4da67ba004fd8c327f177951ac756ea6799
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: James Feist <james.feist@linux.intel.com>

include/token_authorization_middleware.hpp

diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp
index 7e4e3bb..e9eb65f 100644
--- a/include/token_authorization_middleware.hpp
+++ b/include/token_authorization_middleware.hpp
@@ -223,8 +223,14 @@
             {
                 return nullptr;
             }
+
+            if (csrf.size() != crow::persistent_data::sessionTokenSize)
+            {
+                return nullptr;
+            }
             // Reject if csrf token not available
-            if (csrf != session->csrfToken)
+            if (!crow::utility::constantTimeStringCompare(csrf,
+                                                          session->csrfToken))
             {
                 return nullptr;
             }