diff options
| -rw-r--r-- | Cargo.lock | 7 | ||||
| -rw-r--r-- | Cargo.toml | 1 | ||||
| -rw-r--r-- | src/main.rs | 7 |
3 files changed, 13 insertions, 2 deletions
@@ -362,6 +362,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] +name = "constant_time_eq" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13418e745008f7349ec7e449155f419a61b92b58a99cc3616942b926825ec76b" + +[[package]] name = "convert_case" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -900,6 +906,7 @@ version = "0.1.0" dependencies = [ "actix-web", "actix-web-httpauth", + "constant_time_eq", "nix", "rustls", "rustls-pemfile", @@ -8,6 +8,7 @@ edition = "2021" [dependencies] actix-web = { version = "4.3.1", features = ["rustls"] } actix-web-httpauth = "0.8.0" +constant_time_eq = "0.2.5" nix = "0.26.2" rustls = "0.20.0" rustls-pemfile = "1.0.2" diff --git a/src/main.rs b/src/main.rs index 6b058ab..52e233b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,6 +1,6 @@ use rustkrazy_admind::{Error, Result}; -use std::fs::File; +use std::fs::{self, File}; use std::io::{self, BufReader}; use actix_web::{ @@ -9,6 +9,7 @@ use actix_web::{ use actix_web_httpauth::extractors::basic::{BasicAuth, Config}; use actix_web_httpauth::extractors::AuthenticationError; use actix_web_httpauth::middleware::HttpAuthentication; +use constant_time_eq::constant_time_eq; use nix::sys::reboot::{reboot, RebootMode}; use rustls::{Certificate, PrivateKey, ServerConfig}; use rustls_pemfile::{certs, pkcs8_private_keys}; @@ -46,7 +47,9 @@ async fn basic_auth_validator( } fn validate_credentials(user_id: &str, user_password: &str) -> io::Result<bool> { - if user_id == "rustkrazy" && user_password == "rustkrazy" { + let correct_password = fs::read("/data/admind.passwd")?; + + if user_id == "rustkrazy" && constant_time_eq(user_password.as_bytes(), &correct_password) { return Ok(true); } |