#1254 closed defect (wontfix)
nginx leaks Basic Auth password through timing side channel when {PLAIN} method is used
| Reported by: | Leon Klingele | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-module | Version: | 1.11.x |
| Keywords: | security, timing, side, channel | Cc: | |
| uname -a: | - | ||
| nginx -V: |
nginx version: nginx/1.12.0
built by gcc 4.9.2 (Debian 4.9.2-10) built with LibreSSL 2.5.3 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=%{_libdir}/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6 --with-openssl=submodules/libressl --with-pcre=submodules/pcre --with-pcre-jit |
||
Description
When using a {PLAIN} password inside the auth_basic_user_file file (e.g. admin:{PLAIN}myplaintextpassword), nginx leaks this cleartext password through a timing side channel.
Call stack:
- https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/http/modules/ngx_http_auth_basic_module.c#L297
- https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/core/ngx_crypt.c#L36
- https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/core/ngx_crypt.c#L167-L184
- https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/http/modules/ngx_http_auth_basic_module.c#L305
ngx_strcmp is defined via
#define ngx_strcmp(s1, s2) strcmp((const char *) s1, (const char *) s2)
and thus not timing-resistant.
Please switch to a constant time algorithm, e.g.
unsigned char result = 0;
size_t i = 0;
for (i = 0; i < maxlen; i++) {
result |= buf1[i] ^ buf2[i];
}
// Free buffers
return result == 0;
Change History (4)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Quote from the docs (http://nginx.org/r/auth_basic_user_file):
currently implemented schemes include PLAIN (an example one, should not be used)
comment:3 by , 8 years ago
| sensitive: | 1 → 0 |
|---|
comment:4 by , 8 years ago
Then why do you still support it / mention it in the docs? Using the PLAIN method is (well, should be) perfectly fine if it's used with a random, one-time password. The scheme has some advantages, especially for public staging servers. IMO that 'should not be used' note is no excuse for the non-constant timing implementation.
Your issue tracker is broken. I explicitly checked the "Sensitive" checkbox but the issue is still public.