constant time string comparison for socks5 credential validation

2025-04-29 19:01:42 +02:00 · 2022-03-31 10:07:44 +01:00 · 2022-03-31 10:07:44 +01:00 · c1989bf6f0
commit c1989bf6f0
parent 6b05fcc6ca
1 changed files with 4 additions and 1 deletions
--- a/routine.go
+++ b/routine.go
@ -2,6 +2,7 @@ package wireproxy

 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"io"
@ -110,7 +111,9 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 }

 func (c CredentialValidator) Valid(username, password string) bool {
-	return c.username == username && c.password == password
+	u := subtle.ConstantTimeCompare([]byte(c.username), []byte(username))
+	p := subtle.ConstantTimeCompare([]byte(c.password), []byte(password))
+	return u&p == 1
 }

 func connForward(bufSize int, from io.ReadWriteCloser, to io.ReadWriteCloser) {