better constant time basic auth

keratin · Apr 4, 2020 · b7dca6d · b7dca6d
1 parent c10d1f3
commit b7dca6d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ Based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 * endpoint for checking zxcvbn password score [#149]
 * option to expire an account's sessions after a password change [#154]
 
+### Fixed
+
+* improvements to constant time comparison in basic auth (thanks @lsmith130)
+
 ## 1.8.0
 
 ### Added

diff --git a/lib/route/basic_auth_security.go b/lib/route/basic_auth_security.go
@@ -12,11 +12,12 @@ func BasicAuthSecurity(username string, password string, realm string) SecurityH
 
 	// SECURITY: ensure that both ConstantTimeCompare operations are run, so that a
 	// timing attack may not verify a correct username without a correct password.
+	// this is unable to hide the correct lengths of either, however.
 	match := func(u string, p string) bool {
 		usernameMatch := subtle.ConstantTimeCompare([]byte(u), []byte(username))
 		passwordMatch := subtle.ConstantTimeCompare([]byte(p), []byte(password))
 
-		return usernameMatch == 1 && passwordMatch == 1
+		return (usernameMatch & passwordMatch) == 1
 	}
 
 	return func(h http.Handler) http.Handler {