appservice/http: use constant time comparisons for access tokens

2026-03-14 14:25:53 +01:00 · 2025-03-16 15:05:55 +02:00 · 2025-03-16 15:05:55 +02:00 · c0d1df18b4
commit c0d1df18b4
parent e1938c5159
4 changed files with 8 additions and 6 deletions
--- a/appservice/http.go
+++ b/appservice/http.go
@ -19,6 +19,7 @@ import (

 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"
+	"go.mau.fi/util/exstrings"

 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/event"
@ -83,7 +84,7 @@ func (as *AppService) CheckServerToken(w http.ResponseWriter, r *http.Request) (
 			HTTPStatus: http.StatusForbidden,
 			Message:    "Missing access token",
 		}.Write(w)
-	} else if authHeader[len("Bearer "):] != as.Registration.ServerToken {
+	} else if !exstrings.ConstantTimeEqual(authHeader[len("Bearer "):], as.Registration.ServerToken) {
 		Error{
 			ErrorCode:  ErrUnknownToken,
 			HTTPStatus: http.StatusForbidden,
--- a/bridgev2/matrix/provisioning.go
+++ b/bridgev2/matrix/provisioning.go
@ -21,6 +21,7 @@ import (
 	"github.com/rs/xid"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/hlog"
+	"go.mau.fi/util/exstrings"
 	"go.mau.fi/util/jsontime"
 	"go.mau.fi/util/requestlog"

@ -207,7 +208,7 @@ func (prov *ProvisioningAPI) DebugAuthMiddleware(h http.Handler) http.Handler {
 				Err:     "Missing auth token",
 				ErrCode: mautrix.MMissingToken.ErrCode,
 			})
-		} else if auth != prov.br.Config.Provisioning.SharedSecret {
+		} else if !exstrings.ConstantTimeEqual(auth, prov.br.Config.Provisioning.SharedSecret) {
 			jsonResponse(w, http.StatusUnauthorized, &mautrix.RespError{
 				Err:     "Invalid auth token",
 				ErrCode: mautrix.MUnknownToken.ErrCode,
@ -235,7 +236,7 @@ func (prov *ProvisioningAPI) AuthMiddleware(h http.Handler) http.Handler {
 		if userID == "" && prov.GetUserIDFromRequest != nil {
 			userID = prov.GetUserIDFromRequest(r)
 		}
-		if auth != prov.br.Config.Provisioning.SharedSecret {
+		if !exstrings.ConstantTimeEqual(auth, prov.br.Config.Provisioning.SharedSecret) {
 			var err error
 			if strings.HasPrefix(auth, "openid:") {
 				err = prov.checkFederatedMatrixAuth(r.Context(), userID, strings.TrimPrefix(auth, "openid:"))
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/sjson v1.2.5
 	github.com/yuin/goldmark v1.7.8
-	go.mau.fi/util v0.8.6-0.20250313222444-739a30158a62
+	go.mau.fi/util v0.8.6-0.20250316130503-05facedd4121
 	go.mau.fi/zeroconfig v0.1.3
 	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
--- a/go.sum
+++ b/go.sum
@ -54,8 +54,8 @@ github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/yuin/goldmark v1.7.8 h1:iERMLn0/QJeHFhxSt3p6PeN9mGnvIKSpG9YYorDMnic=
 github.com/yuin/goldmark v1.7.8/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
-go.mau.fi/util v0.8.6-0.20250313222444-739a30158a62 h1:8EjBMxX7QkT94/815jKIVK5k41ku+ES3SxSk8DyQRk4=
-go.mau.fi/util v0.8.6-0.20250313222444-739a30158a62/go.mod h1:uNB3UTXFbkpp7xL1M/WvQks90B/L4gvbLpbS0603KOE=
+go.mau.fi/util v0.8.6-0.20250316130503-05facedd4121 h1:d7KUA46BWjtyEwJjVSvtZnQln+lR3+cdvzw4z2nCyhM=
+go.mau.fi/util v0.8.6-0.20250316130503-05facedd4121/go.mod h1:uNB3UTXFbkpp7xL1M/WvQks90B/L4gvbLpbS0603KOE=
 go.mau.fi/zeroconfig v0.1.3 h1:As9wYDKmktjmNZW5i1vn8zvJlmGKHeVxHVIBMXsm4kM=
 go.mau.fi/zeroconfig v0.1.3/go.mod h1:NcSJkf180JT+1IId76PcMuLTNa1CzsFFZ0nBygIQM70=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=