Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential misuse of linear-time or constant-time password comparisons #7456

Closed
brandond opened this issue May 8, 2023 · 1 comment
Closed

Potential misuse of linear-time or constant-time password comparisons #7456

brandond opened this issue May 8, 2023 · 1 comment
Assignees
@brandond @fmoral2
Milestone
v1.27.2+k3s1

Comments

@brandond
Copy link
Member

brandond commented May 8, 2023
edited
Loading

h/t to @porcupineyhairs

There are several places in the codebase where passwords are either directly compared, or where subtle.ConstantTimeCompare is misused to directly compare passwords. In places where the password length is variable, we should instead only use constant-time comparisons of password hashes, as per the discussion at golang/go#47001

We do not believe that this constitutes a vulnerability, as the current deficiencies only provide a theoretical vector by which password lengths could be derived via an unknown side-channel attack, and the lengths of the affected passwords (the cluster join token, and the node secret) are already well-known in most cases due to their having hard-coded default sizes when K3s is left to generate them for itself.
@brandond brandond self-assigned this May 8, 2023
@brandond brandond moved this from New to Peer Review in K3s Development May 8, 2023
@brandond brandond mentioned this issue May 8, 2023
Merged
@brandond brandond added this to the v1.27.2+k3s1 milestone May 8, 2023
@brandond brandond changed the title Potential misuse of direct or constant-time password comparisons Potential misuse of linear-time or constant-time password comparisons May 8, 2023
@brandond brandond moved this from Peer Review to To Test in K3s Development May 9, 2023
This was referenced May 9, 2023
Closed
Closed
Closed
@fmoral2
Copy link
Contributor

fmoral2 commented May 11, 2023

*no specific tests to be run

But i have validated cluster joins with different roles and tokens.

All OK.

@fmoral2 fmoral2 closed this as completed May 11, 2023
@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development May 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.27.2+k3s1
Development

No branches or pull requests
2 participants
@brandond @fmoral2