diff --git a/server/Cargo.lock b/server/Cargo.lock index 60e3fea..eaffadb 100644 --- a/server/Cargo.lock +++ b/server/Cargo.lock @@ -1014,9 +1014,9 @@ checksum = "7655c9839580ee829dfacba1d1278c2b7883e50a277ff7541299489d6bdfdc45" [[package]] name = "itertools" -version = "0.12.1" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" +checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285" dependencies = [ "either", ] @@ -1043,15 +1043,15 @@ dependencies = [ [[package]] name = "jiff-tzdb" -version = "0.1.2" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf2cec2f5d266af45a071ece48b1fb89f3b00b2421ac3a5fe10285a6caaa60d3" +checksum = "c1283705eb0a21404d2bfd6eef2a7593d240bc42a0bdb39db0ad6fa2ec026524" [[package]] name = "jiff-tzdb-platform" -version = "0.1.2" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a63c62e404e7b92979d2792352d885a7f8f83fd1d0d31eea582d77b2ceca697e" +checksum = "875a5a69ac2bab1a891711cf5eccbec1ce0341ea805560dcd90b7a2e925132e8" dependencies = [ "jiff-tzdb", ] @@ -1101,9 +1101,9 @@ dependencies = [ [[package]] name = "libsqlite3-sys" -version = "0.31.0" +version = "0.32.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad8935b44e7c13394a179a438e0cebba0fe08fe01b54f152e29a93b5cf993fd4" +checksum = "fbb8270bb4060bd76c6e96f20c52d80620f1d82a3470885694e41e0f81ef6fe7" dependencies = [ "cc", "pkg-config", @@ -1322,6 +1322,7 @@ dependencies = [ "serde", "serde_json", "smallvec", + "subtle", "tempfile", "tokio", "tokio-tungstenite", @@ -1897,9 +1898,9 @@ dependencies = [ [[package]] name = "rusqlite" -version = "0.33.0" +version = "0.34.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c6d5e5acb6f6129fe3f7ba0a7fc77bca1942cb568535e18e7bc40262baf3110" +checksum = "37e34486da88d8e051c7c0e23c3f15fd806ea8546260aa2fec247e97242ec143" dependencies = [ "bitflags", "fallible-iterator", @@ -2155,9 +2156,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.96" +version = "2.0.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5d0adab1ae378d7f53bdebc67a39f1f151407ef230f0ce2883572f5d8985c80" +checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0" dependencies = [ "proc-macro2", "quote", diff --git a/server/Cargo.toml b/server/Cargo.toml index 174a359..b631e83 100644 --- a/server/Cargo.toml +++ b/server/Cargo.toml @@ -26,12 +26,12 @@ members = ["base", "db"] [workspace.dependencies] base64 = "0.22.0" h264-reader = "0.8.0" -itertools = "0.12.0" -jiff = "0.1.8" +itertools = "0.14.0" +jiff = "0.1.6" nix = "0.27.0" pretty-hex = "0.4.0" ring = "0.17.0" -rusqlite = "0.33.0" +rusqlite = "0.34.0" tracing = { version = "0.1" } tracing-core = "0.1.30" tracing-futures = { version = "0.2.5", features = ["futures-03", "std-future"] } @@ -98,6 +98,7 @@ hyper-util = { version = "0.1.7", features = ["server-graceful", "tokio"] } http-body = "1.0.1" http-body-util = "0.1.2" pin-project = "1.1.10" +subtle = "2.6.1" [target.'cfg(target_os = "linux")'.dependencies] libsystemd = "0.7.0" diff --git a/server/src/web/mod.rs b/server/src/web/mod.rs index f609295..62d20d2 100644 --- a/server/src/web/mod.rs +++ b/server/src/web/mod.rs @@ -84,7 +84,8 @@ fn serve_json( fn csrf_matches(csrf: &str, session: auth::SessionHash) -> bool { let mut b64 = [0u8; 32]; session.encode_base64(&mut b64); - ::ring::constant_time::verify_slices_are_equal(&b64[..], csrf.as_bytes()).is_ok() + use subtle::ConstantTimeEq as _; + b64.ct_eq(csrf.as_bytes()).into() } /// Extracts `s` cookie from the HTTP request headers. Does not authenticate.