Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Early authentication timing failure could leak username correctness #5904

Closed
AaronFeickert opened this issue Nov 3, 2023 · 1 comment
Closed

Early authentication timing failure could leak username correctness #5904

AaronFeickert opened this issue Nov 3, 2023 · 1 comment

Comments

@AaronFeickert
Copy link
Collaborator

AaronFeickert commented Nov 3, 2023
edited
Loading

When gRPC credentials are validated, an error is returned if either the username or passphrase are incorrect. However, a failed username check will fail the validation immediately without checking the passphrase. This could introduce a timing attack.

It should always be the case that both a supplied username and passphrase are validated before returning a generic error to the caller.
@AaronFeickert AaronFeickert mentioned this issue Nov 4, 2023
Closed
@AaronFeickert AaronFeickert changed the title Authentication timing could leak username correctness Early authentication timing failure could leak username correctness Nov 4, 2023
@AaronFeickert AaronFeickert mentioned this issue Nov 8, 2023
Merged
4 tasks
@AaronFeickert
Copy link
Collaborator Author

Fixed by #5902.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: don't fail early on bad gRPC username AaronFeickert/tari
1 participant
@AaronFeickert