Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/subtle: ConstantTimeCompare should not immediately return if the slices aren't of equal length #28382

Closed
mikebaldry opened this issue Oct 25, 2018 · 3 comments
Closed

crypto/subtle: ConstantTimeCompare should not immediately return if the slices aren't of equal length #28382

mikebaldry opened this issue Oct 25, 2018 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@mikebaldry
Copy link

What version of Go are you using (go version)?

go version go1.11 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/mikeyb/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/mikeyb/.asdf/installs/golang/1.11/packages"
GOPROXY=""
GORACE=""
GOROOT="/Users/mikeyb/.asdf/installs/golang/1.11/go"
GOTMPDIR=""
GOTOOLDIR="/Users/mikeyb/.asdf/installs/golang/1.11/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/mikeyb/projects/happenings/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/32/kykt1fps7d7blx2k6h9zmxx80000gp/T/go-build549217116=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Looked at the source of ConstantTimeCompare

What did you expect to see?

That it compares all possible values in a constant time to avoid timing attacks

What did you see instead?

That when the length of the slices being compared isn't the same, it returns straight away, making it possible to use a timing attack to discover the correct length
@agnivade agnivade changed the title crypto/subtle ConstantTimeCompare should not immediately return if the slices aren't of equal length crypto/subtle: ConstantTimeCompare should not immediately return if the slices aren't of equal length Oct 25, 2018
@agnivade agnivade added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 25, 2018
@agnivade agnivade added this to the Unplanned milestone Oct 25, 2018
@agnivade
Copy link
Contributor

/cc @FiloSottile @agl

@ALTree
Copy link
Member

ALTree commented Oct 25, 2018

Dup of #18936

@bcmills
Copy link
Contributor

bcmills commented Oct 25, 2018

Closing as duplicate.

Per https://golang.org/issue/18936#issuecomment-313797253, it is up to callers to ensure that ConstantTimeCompare is called with slices of the same length.

(If you find an erroneous caller in the standard library or x/crypto, please follow up with security@golang.org per https://golang.org/security.)

@bcmills bcmills closed this as completed Oct 25, 2018
@golang golang locked and limited conversation to collaborators Oct 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@mikebaldry @agnivade @ALTree @bcmills @gopherbot