deepcrayon
/
lila
1
0
Fork 0
Code Releases Activity

fix timing side channel in StringToken (closes lichess-org/talk#11)

pull/5042/head pre-responsive
Niklas Fiekas 2019-05-05 01:21:41 +02:00
parent 3d40c3a38f
commit 4b41ce0ae2
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/security/src/main/StringToken.scala
View File

@ -2,6 +2,7 @@ package lila.security
import com.roundeights.hasher.Algo
import lila.common.String.base64
import org.mindrot.BCrypt
import StringToken.ValueChecker
@ -24,7 +25,7 @@ private[security] final class StringToken[A](
def read(token: String): Fu[Option[A]] = (base64 decode token) ?? {
_ split separator match {
case Array(payloadStr, hashed, checksum) =>
(makeHash(signPayload(payloadStr, hashed)) == checksum) ?? {
BCrypt.bytesEqualSecure(makeHash(signPayload(payloadStr, hashed)).getBytes("utf-8"), checksum.getBytes("utf-8")) ?? {
val payload = serializer read payloadStr
(valueChecker match {
case ValueChecker.Same => hashCurrentValue(payload) map (hashed ==)