Skip to content

Commit

Permalink
policy: Use timing-safe string comparison
Browse files Browse the repository at this point in the history
[ upstream commit 1e298fa ]

When validating the input header value against a secret, it is advisable
to use a timing-safe string comparison operator with a runtime that is
independent of the number of equivalent prefix bytes of the secret and
header value. This commit is to use CRYPTO_memcmp function[^1] for string
comparison, similar to what is done in envoy codebase.

[^1]: https://github.com/openssl/openssl/blob/master/doc/man3/CRYPTO_memcmp.pod

Signed-off-by: Tam Mach <tam.mach@cilium.io>
  • Loading branch information
sayboras committed Oct 22, 2024
1 parent 8037dcc commit fa4efef
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions cilium/network_policy.cc
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "cilium/grpc_subscription.h"
#include "cilium/ipcache.h"
#include "cilium/secret_watcher.h"
#include "openssl/ssl.h"

namespace Envoy {
namespace Cilium {
Expand Down Expand Up @@ -75,8 +76,13 @@ class HeaderMatch : public Logger::Loggable<Logger::Id::config> {
else if (value_.length() == 0)
ENVOY_LOG(info, "Cilium HeaderMatch missing SDS secret value for header {}", name_);
}
if (header_value.result().has_value())
matches = (header_value.result().value() == *match_value);
if (header_value.result().has_value()) {
const absl::string_view val = header_value.result().value();
if (val.length() == match_value->length()) {
// Use constant time comparison for security reason
matches = CRYPTO_memcmp(val.data(), match_value->data(), match_value->length()) == 0;
}
}
}

if (matches) {
Expand Down

0 comments on commit fa4efef

Please sign in to comment.