Skip to content

Commit

Permalink
fix(rumqttd): Implement constant-time password comparison in authenti…
Browse files Browse the repository at this point in the history
…cation logic (#829)
  • Loading branch information
Inventor77 authored Mar 26, 2024
1 parent 5e2c1de commit 3c9b4f9
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 8 deletions.
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rumqttd/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Make write method return the number of bytes written correctly everywhere

### Security

- Implement constant-time password comparison in authentication logic
---

## [rumqttd 0.19.0] - 12-12-2023
Expand Down
1 change: 1 addition & 0 deletions rumqttd/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ clap = { version = "4.4", features = ["derive"] }
axum = "0.7.4"
rand = "0.8.5"
uuid = { version = "1.7.0", features = ["v4", "fast-rng"] }
subtle = "2.5"

[features]
default = ["use-rustls", "websocket"]
Expand Down
13 changes: 6 additions & 7 deletions rumqttd/src/link/remote.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ use std::collections::VecDeque;
use std::io;
use std::sync::Arc;
use std::time::Duration;
use subtle::ConstantTimeEq;
use tokio::time::error::Elapsed;
use tokio::{select, time};
use tracing::{trace, Span};
Expand Down Expand Up @@ -254,15 +255,13 @@ async fn handle_auth(
}

if let Some(pairs) = &config.auth {
let static_auth_verified = pairs
.iter()
.any(|(user, pass)| (user, pass) == (username, password));

if !static_auth_verified {
return Err(Error::InvalidAuth);
if let Some(stored_password) = pairs.get(username) {
if stored_password.as_bytes().ct_eq(password.as_bytes()).into() {
return Ok(());
}
}

return Ok(());
return Err(Error::InvalidAuth);
}

Err(Error::InvalidAuth)
Expand Down

0 comments on commit 3c9b4f9

Please sign in to comment.