Skip to content

redis: constant-time compare for downstream auth password#45472

Merged
nezdolik merged 1 commit into
envoyproxy:mainfrom
jmestwa-coder:redis-auth-consttime
Jun 25, 2026
Merged

redis: constant-time compare for downstream auth password#45472
nezdolik merged 1 commit into
envoyproxy:mainfrom
jmestwa-coder:redis-auth-consttime

Conversation

@jmestwa-coder

Copy link
Copy Markdown
Contributor

compare the AUTH password against each configured downstream password with CRYPTO_memcmp in checkPassword instead of std::string ==, which short-circuits on the first mismatch and leaks the configured password by timing over the network.

@repokitteh-read-only

Copy link
Copy Markdown

Hi @jmestwa-coder, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #45472 was opened by jmestwa-coder.

see: more, trace.

@nezdolik

Copy link
Copy Markdown
Member

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Redis proxy filter to use a constant-time comparison via OpenSSL's CRYPTO_memcmp for checking downstream auth passwords, which helps prevent timing attacks. The review feedback recommends using angle brackets instead of double quotes for the external OpenSSL header inclusion to follow standard C++ style guidelines.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

#include "source/common/config/datasource.h"
#include "source/common/config/utility.h"

#include "openssl/mem.h"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

External dependency headers (such as OpenSSL) should be included using angle brackets (<...>) rather than double quotes ("...") to adhere to standard C++ include style guidelines.

#include <openssl/mem.h>
#include <openssl/sha.h>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmestwa-coder can you address this one?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, switched it to angle brackets and pushed.

@nezdolik

nezdolik commented Jun 22, 2026

Copy link
Copy Markdown
Member

waiting for addressing feedback

/wait

@nezdolik

Copy link
Copy Markdown
Member

please fix format

/wait

Signed-off-by: Syed Mohammed Nayyar <jmestwa@gmail.com>
@jmestwa-coder

Copy link
Copy Markdown
Contributor Author

format fixed and pushed. the openssl include was sorting after the source/ block; moved it up to the angle-bracket .h group so it lands before the stdlib headers, matching gcp_authn/crypto_utils.cc. clang-format is clean now.

@nezdolik nezdolik merged commit f8d0fc1 into envoyproxy:main Jun 25, 2026
28 checks passed
bellatoris added a commit to bellatoris/envoy that referenced this pull request Jul 5, 2026
Conflicts were confined to the RESP3-extended client factory lineage and
resolved by adopting upstream envoyproxy#45607 std::optional/std::nullopt spelling
while keeping the RESP3 additions:
- ClientFactory/ClientImpl create + ctor signatures keep the appended
  upstream_protocol_version and OptRef<Stats::Counter> hello-failure
  params (OptRef args stay absl::nullopt per OptRef convention)
- ClientFactoryImpl::create keeps the unconditional initialize() (init
  routing moved inside ClientImpl by the RESP3 init state machine)
- proxy_filter.cc keeps both new includes: upstream <openssl/mem.h>
  (envoyproxy#45472 constant-time password compare) and RESP3 <algorithm>
- HEXPIRE (envoyproxy#44887) and cluster string_view (envoyproxy#45967) merged cleanly

Signed-off-by: Doogie Min <doogie.min@sendbird.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants