userdb: Use a constant-time byte comparison in PasswordMatches

PasswordMatches calculates the proposed derived key, and then compares it with the actual derived key. That comparison is done using bytes.Equal, which is not in constant time. In theory, users with knowledge of the salt could use timing to extract information about the actual derived key. In practice, the salt is not being exposed to users, and the caller of PasswordMatches will add a delay to password checks, so it should not be easy to exploit via chasquid. But just to be safe and more future-proof, this patch changes the comparison to be in constant time.
2025-12-23 15:37:01 +00:00 · 2017-04-26 10:26:54 +01:00
parent 17eff21279
commit 2caaec3d8b
1 changed files with 4 additions and 2 deletions
--- a/internal/userdb/userdb.go
+++ b/internal/userdb/userdb.go
@@ -33,8 +33,8 @@ package userdb
 //go:generate protoc --go_out=. userdb.proto

 import (
-	"bytes"
 	"crypto/rand"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"sync"
@@ -210,5 +210,7 @@ func (s *Scrypt) PasswordMatches(plain string) bool {
 		panic(fmt.Sprintf("scrypt failed: %v", err))
 	}

-	return bytes.Equal(dk, []byte(s.Encrypted))
+	// This comparison should be high enough up the stack that it doesn't
+	// matter, but do it in constant time just in case.
+	return subtle.ConstantTimeCompare(dk, []byte(s.Encrypted)) == 1
 }