[8.x] Patch for timeless timing attack vulnerability in user login (#44069)

* Timebox

* Fixed formatting

* Increased delta time for tests in SupportHelpersTests.php that uses usleep as part of the test. This is necessary because usleep on Windows is unreliable, and other tests that uses CPU (for instance by using usleep) that run simultaneously are then affecting the tests in SupportHelpersTests.php that asserts based on the used time.

* Timebox: ensured timebox property on SessionGuard would not be null. Added config option for validateCredentialsMinimumTime per guard

* formatting

* remove docblock

* remove unnecessary code

* fix tests

Co-authored-by: Taylor Otwell <taylor@laravel.com>

Author: JensJI

src/Illuminate/Auth/AuthManager.php

@@ -122,7 +122,11 @@ public function createSessionDriver($name, $config)
     {
         $provider = $this->createUserProvider($config['provider'] ?? null);
 
-        $guard = new SessionGuard($name, $provider, $this->app['session.store']);
+        $guard = new SessionGuard(
+            $name,
+            $provider,
+            $this->app['session.store'],
+        );
 
         // When using the remember me functionality of the authentication services we
         // will need to be set the encryption instance of the guard, which allows

src/Illuminate/Auth/SessionGuard.php

@@ -20,6 +20,7 @@
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Str;
+use Illuminate\Support\Timebox;
 use Illuminate\Support\Traits\Macroable;
 use InvalidArgumentException;
 use RuntimeException;
@@ -88,6 +89,13 @@ class SessionGuard implements StatefulGuard, SupportsBasicAuth
      */
     protected $events;
 
+    /**
+     * The timebox instance.
+     *
+     * @var \Illuminate\Support\Timebox
+     */
+    protected $timebox;
+
     /**
      * Indicates if the logout method has been called.
      *
@@ -109,17 +117,20 @@ class SessionGuard implements StatefulGuard, SupportsBasicAuth
      * @param  \Illuminate\Contracts\Auth\UserProvider  $provider
      * @param  \Illuminate\Contracts\Session\Session  $session
      * @param  \Symfony\Component\HttpFoundation\Request|null  $request
+     * @param  \Illuminate\Support\Timebox|null  $timebox
      * @return void
      */
     public function __construct($name,
                                 UserProvider $provider,
                                 Session $session,
-                                Request $request = null)
+                                Request $request = null,
+                                Timebox $timebox = null)
     {
         $this->name = $name;
         $this->session = $session;
         $this->request = $request;
         $this->provider = $provider;
+        $this->timebox = $timebox ?: new Timebox;
     }
 
     /**
@@ -419,13 +430,17 @@ public function attemptWhen(array $credentials = [], $callbacks = null, $remembe
      */
     protected function hasValidCredentials($user, $credentials)
     {
-        $validated = ! is_null($user) && $this->provider->validateCredentials($user, $credentials);
+        return $this->timebox->call(function ($timebox) use ($user, $credentials) {
+            $validated = ! is_null($user) && $this->provider->validateCredentials($user, $credentials);
 
-        if ($validated) {
-            $this->fireValidatedEvent($user);
-        }
+            if ($validated) {
+                $timebox->returnEarly();
+
+                $this->fireValidatedEvent($user);
+            }
 
-        return $validated;
+            return $validated;
+        }, 200 * 1000);
     }
 
     /**
@@ -953,4 +968,14 @@ public function setRequest(Request $request)
 
         return $this;
     }
+
+    /**
+     * Get the timebox instance used by the guard.
+     *
+     * @return \Illuminate\Support\Timebox
+     */
+    public function getTimebox()
+    {
+        return $this->timebox;
+    }
 }

src/Illuminate/Support/Timebox.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace Illuminate\Support;
+
+class Timebox
+{
+    /**
+     * Indicates if the timebox is allowed to return early.
+     *
+     * @var bool
+     */
+    public $earlyReturn = false;
+
+    /**
+     * Invoke the given callback within the specified timebox minimum.
+     *
+     * @param  callable  $callback
+     * @param  int  $microseconds
+     * @return mixed
+     */
+    public function call(callable $callback, int $microseconds)
+    {
+        $start = microtime(true);
+
+        $result = $callback($this);
+
+        $remainder = $microseconds - ((microtime(true) - $start) * 1000000);
+
+        if (! $this->earlyReturn && $remainder > 0) {
+            $this->usleep($remainder);
+        }
+
+        return $result;
+    }
+
+    /**
+     * Indicate that the timebox can return early.
+     *
+     * @return $this
+     */
+    public function returnEarly()
+    {
+        $this->earlyReturn = true;
+
+        return $this;
+    }
+
+    /**
+     * Indicate that the timebox cannot return early.
+     *
+     * @return $this
+     */
+    public function dontReturnEarly()
+    {
+        $this->earlyReturn = false;
+
+        return $this;
+    }
+
+    /**
+     * Sleep for the specified number of microseconds.
+     *
+     * @param  $microseconds
+     * @return void
+     */
+    protected function usleep($microseconds)
+    {
+        usleep($microseconds);
+    }
+}

tests/Auth/AuthGuardTest.php

@@ -16,6 +16,7 @@
 use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Contracts\Session\Session;
 use Illuminate\Cookie\CookieJar;
+use Illuminate\Support\Timebox;
 use Mockery as m;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Cookie;
@@ -94,6 +95,10 @@ public function testAttemptCallsRetrieveByCredentials()
     {
         $guard = $this->getGuard();
         $guard->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox = $guard->getTimebox();
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback) use ($timebox) {
+            return $callback($timebox);
+        });
         $events->shouldReceive('dispatch')->once()->with(m::type(Attempting::class));
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
@@ -103,9 +108,12 @@ public function testAttemptCallsRetrieveByCredentials()
 
     public function testAttemptReturnsUserInterface()
     {
-        [$session, $provider, $request, $cookie] = $this->getMocks();
-        $guard = $this->getMockBuilder(SessionGuard::class)->onlyMethods(['login'])->setConstructorArgs(['default', $provider, $session, $request])->getMock();
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
+        $guard = $this->getMockBuilder(SessionGuard::class)->onlyMethods(['login'])->setConstructorArgs(['default', $provider, $session, $request, $timebox])->getMock();
         $guard->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback, $microseconds) use ($timebox) {
+            return $callback($timebox->shouldReceive('returnEarly')->once()->getMock());
+        });
         $events->shouldReceive('dispatch')->once()->with(m::type(Attempting::class));
         $events->shouldReceive('dispatch')->once()->with(m::type(Validated::class));
         $user = $this->createMock(Authenticatable::class);
@@ -119,6 +127,10 @@ public function testAttemptReturnsFalseIfUserNotGiven()
     {
         $mock = $this->getGuard();
         $mock->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox = $mock->getTimebox();
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback, $microseconds) use ($timebox) {
+            return $callback($timebox);
+        });
         $events->shouldReceive('dispatch')->once()->with(m::type(Attempting::class));
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
@@ -128,9 +140,12 @@ public function testAttemptReturnsFalseIfUserNotGiven()
 
     public function testAttemptAndWithCallbacks()
     {
-        [$session, $provider, $request, $cookie] = $this->getMocks();
-        $mock = $this->getMockBuilder(SessionGuard::class)->onlyMethods(['getName'])->setConstructorArgs(['default', $provider, $session, $request])->getMock();
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
+        $mock = $this->getMockBuilder(SessionGuard::class)->onlyMethods(['getName'])->setConstructorArgs(['default', $provider, $session, $request, $timebox])->getMock();
         $mock->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox->shouldReceive('call')->andReturnUsing(function ($callback) use ($timebox) {
+            return $callback($timebox->shouldReceive('returnEarly')->getMock());
+        });
         $user = m::mock(Authenticatable::class);
         $events->shouldReceive('dispatch')->times(3)->with(m::type(Attempting::class));
         $events->shouldReceive('dispatch')->once()->with(m::type(Login::class));
@@ -212,6 +227,10 @@ public function testFailedAttemptFiresFailedEvent()
     {
         $guard = $this->getGuard();
         $guard->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox = $guard->getTimebox();
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback, $microseconds) use ($timebox) {
+            return $callback($timebox);
+        });
         $events->shouldReceive('dispatch')->once()->with(m::type(Attempting::class));
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
@@ -544,9 +563,12 @@ public function testUserUsesRememberCookieIfItExists()
 
     public function testLoginOnceSetsUser()
     {
-        [$session, $provider, $request, $cookie] = $this->getMocks();
-        $guard = m::mock(SessionGuard::class, ['default', $provider, $session])->makePartial();
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
+        $guard = m::mock(SessionGuard::class, ['default', $provider, $session, $request, $timebox])->makePartial();
         $user = m::mock(Authenticatable::class);
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback) use ($timebox) {
+            return $callback($timebox->shouldReceive('returnEarly')->once()->getMock());
+        });
         $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->with(['foo'])->andReturn($user);
         $guard->getProvider()->shouldReceive('validateCredentials')->once()->with($user, ['foo'])->andReturn(true);
         $guard->shouldReceive('setUser')->once()->with($user);
@@ -555,19 +577,22 @@ public function testLoginOnceSetsUser()
 
     public function testLoginOnceFailure()
     {
-        [$session, $provider, $request, $cookie] = $this->getMocks();
-        $guard = m::mock(SessionGuard::class, ['default', $provider, $session])->makePartial();
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
+        $guard = m::mock(SessionGuard::class, ['default', $provider, $session, $request, $timebox])->makePartial();
         $user = m::mock(Authenticatable::class);
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback) use ($timebox) {
+            return $callback($timebox);
+        });
         $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->with(['foo'])->andReturn($user);
         $guard->getProvider()->shouldReceive('validateCredentials')->once()->with($user, ['foo'])->andReturn(false);
         $this->assertFalse($guard->once(['foo']));
     }
 
     protected function getGuard()
     {
-        [$session, $provider, $request, $cookie] = $this->getMocks();
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
 
-        return new SessionGuard('default', $provider, $session, $request);
+        return new SessionGuard('default', $provider, $session, $request, $timebox);
     }
 
     protected function getMocks()
@@ -577,6 +602,7 @@ protected function getMocks()
             m::mock(UserProvider::class),
             Request::create('/', 'GET'),
             m::mock(CookieJar::class),
+            m::mock(Timebox::class),
         ];
     }
 

tests/Support/SupportHelpersTest.php

@@ -552,7 +552,7 @@ public function testRetry()
         $this->assertEquals(2, $attempts);
 
         // Make sure we waited 100ms for the first attempt
-        $this->assertEqualsWithDelta(0.1, microtime(true) - $startTime, 0.02);
+        $this->assertEqualsWithDelta(0.1, microtime(true) - $startTime, 0.03);
     }
 
     public function testRetryWithPassingSleepCallback()
@@ -573,7 +573,7 @@ public function testRetryWithPassingSleepCallback()
         $this->assertEquals(3, $attempts);
 
         // Make sure we waited 300ms for the first two attempts
-        $this->assertEqualsWithDelta(0.3, microtime(true) - $startTime, 0.02);
+        $this->assertEqualsWithDelta(0.3, microtime(true) - $startTime, 0.03);
     }
 
     public function testRetryWithPassingWhenCallback()
@@ -594,7 +594,7 @@ public function testRetryWithPassingWhenCallback()
         $this->assertEquals(2, $attempts);
 
         // Make sure we waited 100ms for the first attempt
-        $this->assertEqualsWithDelta(0.1, microtime(true) - $startTime, 0.02);
+        $this->assertEqualsWithDelta(0.1, microtime(true) - $startTime, 0.03);
     }
 
     public function testRetryWithFailingWhenCallback()

tests/Support/SupportTimeboxTest.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace Illuminate\Tests\Support;
+
+use Illuminate\Support\Timebox;
+use Mockery as m;
+use PHPUnit\Framework\TestCase;
+
+class SupportTimeboxTest extends TestCase
+{
+    public function testMakeExecutesCallback()
+    {
+        $callback = function () {
+            $this->assertTrue(true);
+        };
+
+        (new Timebox)->call($callback, 0);
+    }
+
+    public function testMakeWaitsForMicroseconds()
+    {
+        $mock = m::spy(Timebox::class)->shouldAllowMockingProtectedMethods()->makePartial();
+        $mock->shouldReceive('usleep')->once();
+
+        $mock->call(function () {
+        }, 10000);
+
+        $mock->shouldHaveReceived('usleep')->once();
+    }
+
+    public function testMakeShouldNotSleepWhenEarlyReturnHasBeenFlagged()
+    {
+        $mock = m::spy(Timebox::class)->shouldAllowMockingProtectedMethods()->makePartial();
+        $mock->call(function ($timebox) {
+            $timebox->returnEarly();
+        }, 10000);
+
+        $mock->shouldNotHaveReceived('usleep');
+    }
+
+    public function testMakeShouldSleepWhenDontEarlyReturnHasBeenFlagged()
+    {
+        $mock = m::spy(Timebox::class)->shouldAllowMockingProtectedMethods()->makePartial();
+        $mock->shouldReceive('usleep')->once();
+
+        $mock->call(function ($timebox) {
+            $timebox->returnEarly();
+            $timebox->dontReturnEarly();
+        }, 10000);
+
+        $mock->shouldHaveReceived('usleep')->once();
+    }
+}