1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00
phorge-phorge/scripts/ssh
epriestley 4a53fc339e Don't use "phutil_hashes_are_identical()" to compare public keys
Summary:
Ref T13436. There's no real security value to doing this comparison, it just wards off evil "security researchers" who get upset if you ever compare two strings with a non-constant-time algorithm.

In practice, SSH public keys are pretty long, pretty public, and have pretty similar lengths. This leads to a relatively large amount of work to do constant-time comparisons on them (we frequently can't abort early after identifying differing string length).

Test Plan: Ran `bin/ssh-auth --sshd-key ...` on `secure` with ~1K keys, saw runtime drop by ~50% (~400ms to ~200ms) with `===`.

Maniphest Tasks: T13436

Differential Revision: https://secure.phabricator.com/D20875
2019-10-28 18:34:30 -07:00
..
ssh-auth.php Don't use "phutil_hashes_are_identical()" to compare public keys 2019-10-28 18:34:30 -07:00
ssh-connect.php Add parsing for ssh options (-o) which are passed when using GIT v2 wire protocol by git command (SSH transport) 2018-08-02 16:42:59 +03:00
ssh-exec.php Use phutil_microseconds_since(...) to simplify some timing arithmetic 2018-11-08 16:46:32 -08:00