Page MenuHomePhabricator

Don't use "phutil_hashes_are_identical()" to compare public keys
ClosedPublic

Authored by epriestley on Oct 29 2019, 1:31 AM.
Tags
None
Referenced Files
F18736248: D20875.id.diff
Wed, Oct 1, 5:14 AM
F18731156: D20875.diff
Tue, Sep 30, 2:07 PM
F18731121: D20875.diff
Tue, Sep 30, 1:59 PM
F18727300: D20875.diff
Tue, Sep 30, 7:51 AM
F18726918: D20875.diff
Tue, Sep 30, 7:22 AM
F18701363: D20875.diff
Sat, Sep 27, 6:43 PM
F18619169: D20875.diff
Mon, Sep 15, 1:53 AM
F18601494: D20875.id49765.diff
Sat, Sep 13, 12:39 PM
Subscribers
Tokens
"Y So Serious" token, awarded by leoluk.

Details

Summary

Ref T13436. There's no real security value to doing this comparison, it just wards off evil "security researchers" who get upset if you ever compare two strings with a non-constant-time algorithm.

In practice, SSH public keys are pretty long, pretty public, and have pretty similar lengths. This leads to a relatively large amount of work to do constant-time comparisons on them (we frequently can't abort early after identifying differing string length).

Test Plan

Ran bin/ssh-auth --sshd-key ... on secure with ~1K keys, saw runtime drop by ~50% (~400ms to ~200ms) with ===.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable