Merge remote-tracking branch 'exoscale/feature/constant-time'

This closes #65 Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2015-01-14 16:46:04 +05:30 · 2015-01-14 16:46:04 +05:30 · 78c3ef0e1e
parent 4eafdccc3d b2393c31ed
commit 78c3ef0e1e
4 changed files with 48 additions and 3 deletions
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@ -40,6 +40,7 @@ import com.cloud.user.DomainManager;
 import com.cloud.user.User;
 import com.cloud.user.UserAccount;
 import com.cloud.user.UserVO;
+import com.cloud.utils.ConstantTimeComparator;
 import com.cloud.utils.HttpUtils;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
@ -910,9 +911,11 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
            final SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
            mac.init(keySpec);
            mac.update(unsignedRequest.getBytes());
+
            final byte[] encryptedBytes = mac.doFinal();
            final String computedSignature = Base64.encodeBase64String(encryptedBytes);
-            final boolean equalSig = signature.equals(computedSignature);
+            final boolean equalSig = ConstantTimeComparator.compareStrings(signature, computedSignature);
+
            if (!equalSig) {
                s_logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
            } else {
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@ -54,6 +54,7 @@ import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.User;
 import com.cloud.uservm.UserVm;
+import com.cloud.utils.ConstantTimeComparator;
 import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.db.EntityManager;
@ -659,7 +660,7 @@ public class ConsoleProxyServlet extends HttpServlet {
            mac.update(unsignedRequest.getBytes());
            byte[] encryptedBytes = mac.doFinal();
            String computedSignature = Base64.encodeBase64String(encryptedBytes);
-            boolean equalSig = signature.equals(computedSignature);
+            boolean equalSig = ConstantTimeComparator.compareStrings(signature, computedSignature);
            if (!equalSig) {
                s_logger.debug("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
            }
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -135,6 +135,7 @@ import com.cloud.user.Account.State;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.user.dao.UserAccountDao;
 import com.cloud.user.dao.UserDao;
+import com.cloud.utils.ConstantTimeComparator;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
@ -488,6 +489,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M

    @Override
    public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
+
        //check for the same owner
        Long ownerId = null;
        ControlledEntity prevEntity = null;
@ -2061,7 +2063,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                mac.update(unsignedRequest.getBytes());
                byte[] encryptedBytes = mac.doFinal();
                String computedSignature = new String(Base64.encodeBase64(encryptedBytes));
-                boolean equalSig = signature.equals(computedSignature);
+                boolean equalSig = ConstantTimeComparator.compareStrings(signature, computedSignature);
                if (!equalSig) {
                    s_logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
                } else {
--- a/utils/src/com/cloud/utils/ConstantTimeComparator.java
+++ b/utils/src/com/cloud/utils/ConstantTimeComparator.java
@ -0,0 +1,39 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.utils;
+
+public class ConstantTimeComparator {
+
+    public static boolean compareBytes(byte[] b1, byte[] b2) {
+        if (b1.length != b2.length) {
+            return false;
+        }
+
+        int result = 0;
+        for (int i = 0; i < b1.length; i++) {
+            result |= b1[i] ^ b2[i];
+        }
+        return result == 0;
+    }
+
+    public static boolean compareStrings(String s1, String s2) {
+        return compareBytes(s1.getBytes(), s2.getBytes());
+    }
+}