Skip to content

Constant-time evaluation of non-bcrypt passwords#5247

Merged
derekcollison merged 1 commit intomainfrom
neil/authconstanttime
Mar 26, 2024
Merged

Constant-time evaluation of non-bcrypt passwords#5247
derekcollison merged 1 commit intomainfrom
neil/authconstanttime

Conversation

@neilalexander
Copy link
Copy Markdown
Member

@neilalexander neilalexander commented Mar 26, 2024

This ensures that comparison of non-bcrypted passwords is done in constant time, whereas otherwise timing information may be apparent on a network with next to no jitter.

Reported-by: Trail of Bits https://www.trailofbits.com
Signed-off-by: Neil Twigg neil@nats.io

@neilalexander
Constant-time evaluation of non-bcrypt passwords
815d21f 
Signed-off-by: Neil Twigg <neil@nats.io>
@neilalexander neilalexander requested a review from a team as a code owner March 26, 2024 11:35
derekcollison
derekcollison reviewed Mar 26, 2024
View reviewed changes
server/auth.go
// turning a string into []byte normally.
spass := stringToBytes(serverPassword)
cpass := stringToBytes(clientPassword)
if subtle.ConstantTimeCompare(spass, cpass) == 0 {
Copy link
Copy Markdown
Member

@derekcollison derekcollison Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this will slow down reconnect yes?

Copy link
Copy Markdown
Member Author

@neilalexander neilalexander Mar 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be marginal, standard string comparison will give up on the first mismatching character, whereas ConstantTimeCompare iterates over all characters before returning (unless they're different lengths, in which case it gives up immediately).

Copy link
Copy Markdown
Member

@philpennock philpennock Mar 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be about no difference in time for valid credentials. Should only make invalid credential rejection slower.

derekcollison
derekcollison approved these changes Mar 26, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@derekcollison derekcollison merged commit 7befb03 into main Mar 26, 2024
@derekcollison derekcollison deleted the neil/authconstanttime branch March 26, 2024 17:54
@neilalexander neilalexander mentioned this pull request Apr 4, 2024
Merged
derekcollison added a commit that referenced this pull request Apr 4, 2024
@derekcollison
Cherry-pick PRs for v2.10.14-RC.2 (#5278)
8cafe5b 
Cherry-pick the following PRs into the v2.10.14 release branch:

* #5237
* #5238
* #5242
* #5208
* #5244
* #5248
* #5246
* #5112
* #5247
* #5256
* #5258
* #5264
* #5266
* #5267
* #5265
* #5271
* #5270
* #5272
* #5276
* #5274
* #5275
* #5277
* #5279

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philpennock philpennock philpennock left review comments

@derekcollison derekcollison derekcollison approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@neilalexander @derekcollison @philpennock