Summary
The NSSH1 SSH handshake verification at crates/openshell-sandbox/src/ssh.rs (line 238) compares the expected HMAC signature with the provided signature using != (standard string equality):
if signature != expected {
return Ok(false);
}This is a non-constant-time comparison, making it theoretically vulnerable to timing side-channel attacks. An attacker who can measure response times with sub-microsecond precision could recover the HMAC output byte by byte.
Impact
- Severity: Medium
- Exploitation requires high-precision timing measurements and many attempts, which is difficult but not impossible on a local network.
- The NSSH1 handshake also includes a timestamp (10-second window) and nonce replay protection, which limit the attack window.
Proposed Fix
Use subtle::ConstantTimeEq or hmac::Mac::verify_slice() which performs constant-time comparison internally:
use subtle::ConstantTimeEq;
if signature.as_bytes().ct_eq(expected.as_bytes()).unwrap_u8() != 1 {
return Ok(false);
}
Summary
The NSSH1 SSH handshake verification at
crates/openshell-sandbox/src/ssh.rs(line 238) compares the expected HMAC signature with the provided signature using!=(standard string equality):This is a non-constant-time comparison, making it theoretically vulnerable to timing side-channel attacks. An attacker who can measure response times with sub-microsecond precision could recover the HMAC output byte by byte.
Impact
Proposed Fix
Use
subtle::ConstantTimeEqorhmac::Mac::verify_slice()which performs constant-time comparison internally: