Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use hash_equals when comparing to pwhash from cookie #1652

Merged
merged 1 commit into from
Dec 6, 2020
Merged

Use hash_equals when comparing to pwhash from cookie #1652

merged 1 commit into from
Dec 6, 2020

Conversation

aidantwoods
Copy link
Contributor

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)
  • I have Signed Off all commits. (git commit --signoff)

What does this PR aim to accomplish?:

As discussed at the Pi-hole security mailbox, opening a PR to address this:

In the file scripts/pi-hole/php/password.php for the Pi-hole web user interface, I noted that most comparisons are made in a time safe manner, however there is a single authentication relevant comparison made which does not utilise this protection. Namely here https://github.com/pi-hole/AdminLTE/blob/8ac95be7c1870b3c10824fdb70ed216ad334f0aa/scripts/pi-hole/php/password.php#L45 a basic (type safe) equality is made when comparing the string stored in the cookie persistentlogin to the password hash stored on disk. It may therefore be possible to infer the stored password hash by carrying out a timing attack against this parameter.

This PR aims to prevent the possibility of a timing attack against the persistentlogin cookie to reveal the stored password hash.

How does this PR accomplish the above?:

Use hash_equals for this comparison, as is currently done in similar operations.

What documentation changes (if any) are needed to support this PR?:

None.

@aidantwoods
Use hash_equals when comparing to pwhash from cookie
85c7a3b 
This should prevent a timing attack against this parameter to
disclose the stored passsword hash.

Signed-off-by: Aidan Woods <aidantwoods@gmail.com>
@PromoFaux PromoFaux merged commit ec0bd75 into pi-hole:devel Dec 6, 2020
@aidantwoods aidantwoods deleted the hash_equals-for-pwhash-compare branch December 6, 2020 16:39
@PromoFaux PromoFaux mentioned this pull request Dec 23, 2020
Merged
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-core-web-v5-2-2-and-ftl-v5-3-3-released/41998/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PromoFaux PromoFaux PromoFaux approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aidantwoods @pralor-bot @PromoFaux