From 2defb13396b9b09b202c3a141685e0888b5a0221 Mon Sep 17 00:00:00 2001
From: octeep <github@bandersnatch.anonaddy.com>
Date: Thu, 31 Mar 2022 10:07:44 +0100
Subject: [PATCH] constant time string comparison for socks5 credential
 validation

---
 routine.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/routine.go b/routine.go
index 7c683f8..de8463f 100644
--- a/routine.go
+++ b/routine.go
@@ -2,6 +2,7 @@ package wireproxy
 
 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"io"
@@ -110,7 +111,9 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 }
 
 func (c CredentialValidator) Valid(username, password string) bool {
-	return c.username == username && c.password == password
+	u := subtle.ConstantTimeCompare([]byte(c.username), []byte(username))
+	p := subtle.ConstantTimeCompare([]byte(c.password), []byte(password))
+	return u&p == 1
 }
 
 func connForward(bufSize int, from io.ReadWriteCloser, to io.ReadWriteCloser) {