From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <m.carrara@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id AA45A933B9
 for <pbs-devel@lists.proxmox.com>; Mon, 19 Feb 2024 17:11:41 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 8316832C57
 for <pbs-devel@lists.proxmox.com>; Mon, 19 Feb 2024 17:11:11 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pbs-devel@lists.proxmox.com>; Mon, 19 Feb 2024 17:11:11 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C9BAA4381E
 for <pbs-devel@lists.proxmox.com>; Mon, 19 Feb 2024 17:11:10 +0100 (CET)
Message-ID: <29e05069-547e-46a5-9ed2-befbfbe0e4b5@proxmox.com>
Date: Mon, 19 Feb 2024 17:11:09 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: pbs-devel@lists.proxmox.com
References: <20240215152001.269490-1-s.sterz@proxmox.com>
 <20240215152001.269490-7-s.sterz@proxmox.com>
From: Max Carrara <m.carrara@proxmox.com>
In-Reply-To: <20240215152001.269490-7-s.sterz@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.006 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pbs-devel] [PATCH proxmox 06/12] sys: crypt: use constant time
 comparison for password verification
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 16:11:41 -0000

On 2/15/24 16:19, Stefan Sterz wrote:
> by using `openssl::memcmp::eq()` we can avoid potential timing side
> channels as its runtime only depends on the length of the arrays, not
> the contents. this requires the two arrays to have the same length, but
> that should be a given since the hashes should always have the same
> length.
> 
> Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>

See my reply to patch 04 - the usage of `openssl::memcmp::eq()` in the legacy
code block there could be merged with this commit first before moving to / implementing
HMAC.

LGTM otherwise, but see the comment inline.

> ---
>  proxmox-sys/Cargo.toml   | 3 ++-
>  proxmox-sys/src/crypt.rs | 8 +++++++-
>  2 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-sys/Cargo.toml b/proxmox-sys/Cargo.toml
> index 5ddbe21..1a44702 100644
> --- a/proxmox-sys/Cargo.toml
> +++ b/proxmox-sys/Cargo.toml
> @@ -16,6 +16,7 @@ lazy_static.workspace = true
>  libc.workspace = true
>  log.workspace = true
>  nix.workspace = true
> +openssl = { workspace = true, optional = true }
>  regex.workspace = true
>  serde_json.workspace = true
>  serde = { workspace = true, features = [ "derive" ] }
> @@ -29,5 +30,5 @@ proxmox-time.workspace = true
>  default = []
>  logrotate = ["dep:zstd"]
>  acl = []
> -crypt = []
> +crypt = ["dep:openssl"]
>  timer = []
> diff --git a/proxmox-sys/src/crypt.rs b/proxmox-sys/src/crypt.rs
> index fa10911..3313f66 100644
> --- a/proxmox-sys/src/crypt.rs
> +++ b/proxmox-sys/src/crypt.rs
> @@ -155,9 +155,15 @@ pub fn encrypt_pw(password: &str) -> Result<String, Error> {
>  /// Verify if an encrypted password matches
>  pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {
>      let verify = crypt(password.as_bytes(), enc_password.as_bytes())?;
> -    if verify != enc_password {
> +
> +    // `openssl::memcmp::eq()`'s runtime does not depend on the content of the arrays only the
> +    // length, this makes it harder to exploit timing side-channels.
> +    if verify.len() != enc_password.len()
> +        || !openssl::memcmp::eq(verify.as_bytes(), enc_password.as_bytes())

Like in my comment on patch 04, would it make sense here to split these checks into two
for more fine-grained error messaging? Or are there any reasons why they should be together?

> +    {
>          bail!("invalid credentials");
>      }
> +
>      Ok(())
>  }
>