From 8ee8043fd9fec0691b17966b28a4d20cd5c312ca Mon Sep 17 00:00:00 2001
From: hashmap <hashmap@gmail.com>
Date: Tue, 9 Oct 2018 15:32:53 +0200
Subject: [PATCH] Use constant-time token verification in API (#1690)

Fixes #1641. The size of the token can be leaked, even if we pad or cut user's input we can't make it indistinguishable form the normal case.
---
 Cargo.lock      | 1 +
 api/Cargo.toml  | 1 +
 api/src/auth.rs | 7 +++++--
 api/src/lib.rs  | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 8973b1160..5c1734985 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -681,6 +681,7 @@ dependencies = [
  "hyper-rustls 0.14.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "lazy_static 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "regex 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ring 0.13.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "rustls 0.13.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 1.0.79 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde_derive 1.0.79 (registry+https://github.com/rust-lang/crates.io-index)",
diff --git a/api/Cargo.toml b/api/Cargo.toml
index d4ac82a2b..2cea4212b 100644
--- a/api/Cargo.toml
+++ b/api/Cargo.toml
@@ -11,6 +11,7 @@ failure_derive = "0.1.1"
 hyper = "0.12"
 lazy_static = "1"
 regex = "1"
+ring = "0.13"
 serde = "1"
 serde_derive = "1"
 serde_json = "1"
diff --git a/api/src/auth.rs b/api/src/auth.rs
index 2e2cfb336..84a48248e 100644
--- a/api/src/auth.rs
+++ b/api/src/auth.rs
@@ -15,6 +15,7 @@
 use futures::future::ok;
 use hyper::header::{HeaderValue, AUTHORIZATION, WWW_AUTHENTICATE};
 use hyper::{Body, Request, Response, StatusCode};
+use ring::constant_time::verify_slices_are_equal;
 use router::{Handler, HandlerObj, ResponseFuture};
 
 // Basic Authentication Middleware
@@ -38,8 +39,10 @@ impl Handler for BasicAuthMiddleware {
 		req: Request<Body>,
 		mut handlers: Box<Iterator<Item = HandlerObj>>,
 	) -> ResponseFuture {
-		if req.headers().contains_key(AUTHORIZATION)
-			&& req.headers()[AUTHORIZATION] == self.api_basic_auth
+		if req.headers().contains_key(AUTHORIZATION) && verify_slices_are_equal(
+			req.headers()[AUTHORIZATION].as_bytes(),
+			&self.api_basic_auth.as_bytes(),
+		).is_ok()
 		{
 			handlers.next().unwrap().call(req, handlers)
 		} else {
diff --git a/api/src/lib.rs b/api/src/lib.rs
index 9430c65de..5df900aaf 100644
--- a/api/src/lib.rs
+++ b/api/src/lib.rs
@@ -27,6 +27,7 @@ extern crate hyper;
 #[macro_use]
 extern crate lazy_static;
 extern crate regex;
+extern crate ring;
 extern crate serde;
 #[macro_use]
 extern crate serde_derive;