LibCore: Use timing_safe_compare to compare password hash values

This is not strictly required, as we are comparing hashes, not the password it self. However given this is generic code that could be used anywhere in the system, it seems prudent to be cautious and make sure we don't inadvertently leak any information about the hash via timing attacks in future usages of `LibCore::Account`. Reported-by: Jessica Hamilton <jessica.l.hamilton@gmail.com>
Author: https://github.com/bgianfo Commit: 3ab2b90744 Pull-request: https://github.com/SerenityOS/serenity/pull/13021 Reviewed-by: https://github.com/alimpfard Reviewed-by: https://github.com/awesomekling ✅
2025-09-11 12:06:07 +00:00 · 2022-03-12 21:50:31 -08:00 · 2022-03-12 21:50:31 -08:00 · 3ab2b90744 · 2024-07-17 17:27:55 +09:00
commit 3ab2b90744
parent 390666b9fa
1 changed files with 3 additions and 1 deletions
--- a/Userland/Libraries/LibCore/Account.cpp
+++ b/Userland/Libraries/LibCore/Account.cpp
@ -1,10 +1,12 @@
 /*
 * Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>
+ * Copyright (c) 2021-2022, Brian Gianforcaro <bgianf@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

 #include <AK/Base64.h>
+#include <AK/Memory.h>
 #include <AK/Random.h>
 #include <AK/ScopeGuard.h>
 #include <LibCore/Account.h>
@ -134,7 +136,7 @@ bool Account::authenticate(SecretString const& password) const

    // FIXME: Use crypt_r if it can be built in lagom.
    char* hash = crypt(password.characters(), m_password_hash.characters());
-    return hash != nullptr && strcmp(hash, m_password_hash.characters()) == 0;
+    return hash != nullptr && AK::timing_safe_compare(hash, m_password_hash.characters(), m_password_hash.length());
 }

 bool Account::login() const