[Rt-commit] rt branch 4.2.17-releng created. rt-4.2.16-12-g1fd0c7614d
BPS Git Server
git at git.bestpractical.com
Tue Sep 14 17:37:32 UTC 2021
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 4.2.17-releng has been created
at 1fd0c7614d6a204878f01f7c9b3578812df2faae (commit)
- Log -----------------------------------------------------------------
commit 1fd0c7614d6a204878f01f7c9b3578812df2faae
Merge: 6b3f75f80b d16f8cf13c
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Aug 12 06:06:26 2021 +0800
Merge branch 'security/4.2/timing-side-channel' into security/4.2.17-releng
commit d16f8cf13c2af517ee55a85e7b91a0267477189f
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Jan 15 09:15:20 2021 -0500
Always check password to avoid timing side channel attacks on login page
This addresses CVE-2021-38562.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 4b9daa5311..1d59a2f235 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -804,9 +804,17 @@ sub AttemptPasswordAuthentication {
my $user_obj = RT::CurrentUser->new();
$user_obj->Load( $ARGS->{user} );
+ # Load the RT system user as well to avoid timing side channel
+ my $system_user = RT::CurrentUser->new();
+ $system_user->Load(1); # User with ID 1 should always exist!
+
my $m = $HTML::Mason::Commands::m;
unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
+ if (!$user_obj->id) {
+ # Avoid timing side channel... always run IsPassword
+ $system_user->IsPassword( $ARGS->{pass} );
+ }
$RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $ENV{'REMOTE_ADDR'}");
$m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' );
return (0, HTML::Mason::Commands::loc('Your username or password is incorrect'));
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 98bb783665..c5d82df8a5 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -976,15 +976,18 @@ sub IsPassword {
}
if ( $self->PrincipalObj->Disabled ) {
+ # Run the bcrypt generator to avoid timing side-channel attacks
+ RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
$RT::Logger->info(
"Disabled user " . $self->Name . " tried to log in" );
return (undef);
}
unless ($self->HasPassword) {
- return(undef);
- }
-
+ # Run the bcrypt generator to avoid timing side-channel attacks
+ RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
+ return undef;
+ }
my $stored = $self->__Value('Password');
if ($stored =~ /^!/) {
# If it's a new-style (>= RT 4.0) password, it starts with a '!'
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list