Mirrors/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-06-12 21:27:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement constant time equal check for admin, 2fa recover and 2fa remember tokens

Browse Source
This commit is contained in:
Daniel García
2019-02-11 23:45:55 +01:00
parent bbe2a1b264
commit 9636f33fdb
4 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/api/admin.rs
View File

@ -89,7 +89,7 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
fn _validate_token(token: &str) -> bool {
match CONFIG.admin_token().as_ref() {
None => false,
Some(t) => t == token,
Some(t) => crate::crypto::ct_eq(t, token),
}
}

3
src/api/identity.rs
View File

@ -170,8 +170,9 @@ fn twofactor_auth(
match TwoFactorType::from_i32(provider) {
Some(TwoFactorType::Remember) => {
use crate::crypto::ct_eq;
match device.twofactor_remember {
Some(ref remember) if remember == twofactor_code => return Ok(None), // No twofactor token needed here
Some(ref remember) if ct_eq(remember, twofactor_code) => return Ok(None), // No twofactor token needed here
_ => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
}
}