Refactor code to use subtle.ConstantTimeCompare for secure comparison (…

…#466) * Refactor code to use subtle.ConstantTimeCompare for secure comparison * Refactor code to use subtle.ConstantTimeCompare for secure comparison
tg123 · Oct 21, 2024 · a3f6995 · a3f6995
1 parent 3087aa4
commit a3f6995
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/plugin/docker/docker.go b/plugin/docker/docker.go
@@ -3,8 +3,8 @@
 package main
 
 import (
-	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"net"
@@ -211,7 +211,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 				return nil, err
 			}
 
-			if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+			if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 				return p.createUpstream(conn, pipe, "")
 			}
 		}

diff --git a/plugin/internal/workingdir/workingdir.go b/plugin/internal/workingdir/workingdir.go
@@ -2,7 +2,7 @@ package workingdir
 
 import (
 	"bufio"
-	"bytes"
+	"crypto/subtle"
 	"fmt"
 	"os"
 	"path"
@@ -60,7 +60,7 @@ func (w *Workingdir) Mapkey(pub []byte) ([]byte, error) {
 			return nil, err
 		}
 
-		if bytes.Equal(authedPubkey.Marshal(), pub) {
+		if subtle.ConstantTimeCompare(authedPubkey.Marshal(), pub) == 1 {
 			log.Infof("found mapping key %v", w.fullpath(userKeyFile))
 			return w.Readfile(userKeyFile)
 		}

diff --git a/plugin/kubernetes/kubernetes.go b/plugin/kubernetes/kubernetes.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"os"
@@ -295,7 +296,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 						return nil, err
 					}
 
-					if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+					if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 						return p.createUpstream(conn, pipe, "")
 					}
 				}

diff --git a/plugin/yaml/yaml.go b/plugin/yaml/yaml.go
@@ -4,6 +4,7 @@ package main
 
 import (
 	"bytes"
+	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
 	"os"
@@ -329,7 +330,7 @@ func (p *plugin) findAndCreateUpstream(conn libplugin.ConnMetadata, password str
 					return nil, err
 				}
 
-				if bytes.Equal(authedPubkey.Marshal(), publicKey) {
+				if subtle.ConstantTimeCompare(authedPubkey.Marshal(), publicKey) == 1 {
 					return p.createUpstream(conn, pipe.To, "")
 				}
 			}