Implement constant time string compare for token

The sessions implementation previously used operator== for session
comparisons.  While unlikely to be attackable in the current
implementation, due to the time smearing in a number of cases, modern
security practices recommend using constant time comparison.

Tested By:
Logged into the webui, and observed no change to login flows.  Logged
into redfish using Token Auth, and observed no changes.  Closed a
previous session, then reopened with the new session information to
verify user sessions are restored properly and still work.

Change-Id: Ie759e4da67ba004fd8c327f177951ac756ea6799
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Signed-off-by: James Feist <james.feist@linux.intel.com>

1 files changed, 22 insertions, 0 deletions

diff --git a/http/utility.h b/http/utility.h
index 3ea5806..ee88e5a 100644
--- a/http/utility.h
+++ b/http/utility.h
@@ -2,6 +2,8 @@
 
 #include "nlohmann/json.hpp"
 
+#include <openssl/crypto.h>
+
 #include <cstdint>
 #include <cstring>
 #include <functional>
@@ -779,5 +781,25 @@ inline std::string dateTimeNow()
     return getDateTime(time);
 }
 
+inline bool constantTimeStringCompare(const std::string_view a,
+                                      const std::string_view b)
+{
+    // Important note, this function is ONLY constant time if the two input
+    // sizes are the same
+    if (a.size() != b.size())
+    {
+        return false;
+    }
+    return CRYPTO_memcmp(a.data(), b.data(), a.size()) == 0;
+}
+
+struct ConstantTimeCompare
+{
+    bool operator()(const std::string_view a, const std::string_view b) const
+    {
+        return constantTimeStringCompare(a, b);
+    }
+};
+
 } // namespace utility
 } // namespace crow