From c310049faaa7757af98b3c8f6acd77cc7571c349 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 11 Mar 2021 12:08:49 +1100 Subject: [PATCH] refactor(authentication): use crypto constant time compare (#1800) * refactor(authentication): use crypto constant time compare Improve security with usage of the crypto/subtle ConstantTimeCompare() method for hash comparison. Fixes #1799 * docs: add explicit labels for chat types --- README.md | 4 ++-- internal/authentication/password_hash.go | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c91a6355..79f64d86 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ [![AUR development version](https://img.shields.io/aur/version/authelia-git?logo=arch-linux&label=authelia-git&style=flat-square&color=blue)](https://aur.archlinux.org/packages/authelia-git/) [![License](https://img.shields.io/github/license/authelia/authelia?logo=apache&style=flat-square&color=blue)][Apache 2.0] [![Sponsor](https://img.shields.io/opencollective/all/authelia-sponsors?logo=Open%20Collective&label=financial%20contributors&style=flat-square&color=blue)](https://opencollective.com/authelia-sponsors) - [![Discord](https://img.shields.io/discord/707844280412012608?logo=discord&style=flat-square&color=blue)](https://discord.authelia.com) - [![Matrix](https://img.shields.io/matrix/authelia:matrix.org?logo=matrix&style=flat-square&color=blue)](https://riot.im/app/#/room/#authelia:matrix.org) + [![Discord](https://img.shields.io/discord/707844280412012608?label=discord&logo=discord&style=flat-square&color=blue)](https://discord.authelia.com) + [![Matrix](https://img.shields.io/matrix/authelia:matrix.org?label=matrix&logo=matrix&style=flat-square&color=blue)](https://riot.im/app/#/room/#authelia:matrix.org) **Authelia** is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your diff --git a/internal/authentication/password_hash.go b/internal/authentication/password_hash.go index d9b3c435..604b4a01 100644 --- a/internal/authentication/password_hash.go +++ b/internal/authentication/password_hash.go @@ -1,6 +1,7 @@ package authentication import ( + "crypto/subtle" "errors" "fmt" "strconv" @@ -151,7 +152,7 @@ func CheckPassword(password, hash string) (ok bool, err error) { return false, err } - return passwordHash.Key == expectedHash.Key, nil + return subtle.ConstantTimeCompare([]byte(passwordHash.Key), []byte(expectedHash.Key)) == 1, nil } func getCryptSettings(salt string, algorithm CryptAlgo, iterations, memory, parallelism, keyLength int) (settings string) {