Webhook signature checking should use a constant-time comparison function

[slashnick]

stripe-rs/src/resources/event.rs

Line 264 in e15d3ab

if hex != signature.v1 {

This code is vulnerable to a timing attack, because the != check takes a different amount of time if more characters from the provided signature are correct.

An exploit over the network is unlikely, but as a best practice this should be a constant-time comparison.

[seanpianka]

Thanks for reviewing the code and reporting this vulnerability! This bug should definitely get fixed soon.

I've found some crates we can use to implement this:

• ring::constant_time::verify_slices_are_equal
• dalek-cryptography/subtle
• crypto::util::fixed_time_eq

[smailbarkouch]

I believe you can do constant time comparisons just using hmac's own functions. This function can help do that for you I believe. You would need to replace the to_hex function with something that converts the signature from the header into a slice (this would introduce another error though).

The crate I mentioned in this issue contains a decode function.

[arlyon]

I implemented this downstream in the async fork, as I understood it at the time it was not possible to do constant time checking but happy to see that that is possible without an extra dep! I will also apply this fix there, so thank you.

[arlyon]

Closing this, thanks @smailbarkouch