diff options
| author | sunnavy <sunnavy@bestpractical.com> | 2021-08-12 01:06:26 +0300 |
|---|---|---|
| committer | sunnavy <sunnavy@bestpractical.com> | 2021-08-12 01:06:26 +0300 |
| commit | 1fd0c7614d6a204878f01f7c9b3578812df2faae (patch) | |
| tree | 77850ea1ccb37806cf7040e08cadd11611b10578 | |
| parent | 6b3f75f80b5f7b2b8d59f0259de696e8ebed25d3 (diff) | |
| parent | d16f8cf13c2af517ee55a85e7b91a0267477189f (diff) | |
Merge branch 'security/4.2/timing-side-channel' into security/4.2.17-relengrt-4.2.17
| -rw-r--r-- | lib/RT/Interface/Web.pm | 8 | ||||
| -rw-r--r-- | lib/RT/User.pm | 9 |
2 files changed, 14 insertions, 3 deletions
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm index 4b9daa5311..1d59a2f235 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -804,9 +804,17 @@ sub AttemptPasswordAuthentication { my $user_obj = RT::CurrentUser->new(); $user_obj->Load( $ARGS->{user} ); + # Load the RT system user as well to avoid timing side channel + my $system_user = RT::CurrentUser->new(); + $system_user->Load(1); # User with ID 1 should always exist! + my $m = $HTML::Mason::Commands::m; unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) { + if (!$user_obj->id) { + # Avoid timing side channel... always run IsPassword + $system_user->IsPassword( $ARGS->{pass} ); + } $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $ENV{'REMOTE_ADDR'}"); $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' ); return (0, HTML::Mason::Commands::loc('Your username or password is incorrect')); diff --git a/lib/RT/User.pm b/lib/RT/User.pm index 98bb783665..c5d82df8a5 100644 --- a/lib/RT/User.pm +++ b/lib/RT/User.pm @@ -976,15 +976,18 @@ sub IsPassword { } if ( $self->PrincipalObj->Disabled ) { + # Run the bcrypt generator to avoid timing side-channel attacks + RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64); $RT::Logger->info( "Disabled user " . $self->Name . " tried to log in" ); return (undef); } unless ($self->HasPassword) { - return(undef); - } - + # Run the bcrypt generator to avoid timing side-channel attacks + RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64); + return undef; + } my $stored = $self->__Value('Password'); if ($stored =~ /^!/) { # If it's a new-style (>= RT 4.0) password, it starts with a '!' |