Skip to content

Constant time compare for admin password. #505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jholdstock merged 1 commit into from
Jan 12, 2026
Merged

Constant time compare for admin password. #505

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions internal/webapi/admin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
// Copyright (c) 2020-2024 The Decred developers
// Copyright (c) 2020-2025 The Decred developers
// Use of this source code is governed by an ISC
// license that can be found in the LICENSE file.

package webapi

import (
"crypto/sha256"
"crypto/subtle"
"encoding/json"
"net/http"

Expand Down Expand Up @@ -263,7 +265,11 @@ func (w *WebAPI) adminLogin(c *gin.Context) {

password := c.PostForm("password")

if password != w.cfg.AdminPass {
// subtle.ConstantTimeCompare returns immediately if the params are not the
// same length. Avoid this by comparing hashes (which will be fixed length)
// instead of the raw passwords.
passwordHash := sha256.Sum256([]byte(password))
if subtle.ConstantTimeCompare(passwordHash[:], w.adminPassHash[:]) != 1 {
w.log.Warnf("Failed login attempt from %s", c.ClientIP())
c.HTML(http.StatusUnauthorized, "login.html", gin.H{
"WebApiCache": cacheData,
Expand Down
39 changes: 21 additions & 18 deletions internal/webapi/webapi.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2020-2024 The Decred developers
// Copyright (c) 2020-2025 The Decred developers
// Use of this source code is governed by an ISC
// license that can be found in the LICENSE file.

Expand All @@ -7,6 +7,7 @@ package webapi
import (
"context"
"crypto/ed25519"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"errors"
Expand Down Expand Up @@ -67,15 +68,16 @@ const (
)

type WebAPI struct {
cfg Config
db *database.VspDatabase
log slog.Logger
addrGen *addressGenerator
cache *cache
signPrivKey ed25519.PrivateKey
signPubKey ed25519.PublicKey
server *http.Server
listener net.Listener
cfg Config
db *database.VspDatabase
log slog.Logger
addrGen *addressGenerator
cache *cache
adminPassHash [sha256.Size]byte
signPrivKey ed25519.PrivateKey
signPubKey ed25519.PublicKey
server *http.Server
listener net.Listener
}

func New(vdb *database.VspDatabase, log slog.Logger, dcrd rpc.DcrdConnect,
Expand Down Expand Up @@ -121,14 +123,15 @@ func New(vdb *database.VspDatabase, log slog.Logger, dcrd rpc.DcrdConnect,
}

w := &WebAPI{
cfg: cfg,
db: vdb,
log: log,
addrGen: addrGen,
cache: cache,
signPrivKey: signPrivKey,
signPubKey: signPubKey,
listener: listener,
cfg: cfg,
db: vdb,
log: log,
addrGen: addrGen,
cache: cache,
adminPassHash: sha256.Sum256([]byte(cfg.AdminPass)),
signPrivKey: signPrivKey,
signPubKey: signPubKey,
listener: listener,
}

w.server = &http.Server{
Expand Down
Loading