2025-summer/team-3
12
Fork 0
Code Issues Pull requests Projects Releases Activity

prevent side channel attacks in the mesh authorization code

Browse source
This commit is contained in:
Jenny Danzmayr 2023-12-01 17:11:06 +01:00
parent f5e3aeb15a
commit 78ff88a390
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/c3nav/mesh/consumers.py
View file

@ -14,6 +14,7 @@ from channels.generic.websocket import AsyncJsonWebsocketConsumer, AsyncWebsocke
from django.conf import settings from django.conf import settings
from django.db import transaction from django.db import transaction
from django.utils import timezone from django.utils import timezone
from django.utils.crypto import constant_time_compare
from c3nav.mesh import messages from c3nav.mesh import messages
from c3nav.mesh.messages import (MESH_BROADCAST_ADDRESS, MESH_NONE_ADDRESS, MESH_ROOT_ADDRESS, OTA_CHUNK_SIZE, from c3nav.mesh.messages import (MESH_BROADCAST_ADDRESS, MESH_NONE_ADDRESS, MESH_ROOT_ADDRESS, OTA_CHUNK_SIZE,
@ -58,7 +59,8 @@ class MeshConsumer(AsyncWebsocketConsumer):
async def connect(self): async def connect(self):
self.headers = dict(self.scope["headers"]) self.headers = dict(self.scope["headers"])
if self.headers[b'authorization'].strip() != b'Bearer '+settings.SECRET_MESH_KEY.encode(): if not constant_time_compare(self.headers[b'authorization'].strip(),
b'Bearer '+settings.SECRET_MESH_KEY.encode()):
raise DenyConnection raise DenyConnection
# await self.log_text(None, "new mesh websocket connection") # await self.log_text(None, "new mesh websocket connection")