sec(sandbox): non-constant-time HMAC comparison in SSH handshake

[cluster2600]

Summary

The NSSH1 SSH handshake verification at crates/openshell-sandbox/src/ssh.rs (line 238) compares the expected HMAC signature with the provided signature using != (standard string equality):

if signature != expected {
    return Ok(false);
}

This is a non-constant-time comparison, making it theoretically vulnerable to timing side-channel attacks. An attacker who can measure response times with sub-microsecond precision could recover the HMAC output byte by byte.

Impact

• Severity: Medium
• Exploitation requires high-precision timing measurements and many attempts, which is difficult but not impossible on a local network.
• The NSSH1 handshake also includes a timestamp (10-second window) and nonce replay protection, which limit the attack window.

Proposed Fix

Use subtle::ConstantTimeEq or hmac::Mac::verify_slice() which performs constant-time comparison internally:

use subtle::ConstantTimeEq;
if signature.as_bytes().ct_eq(expected.as_bytes()).unwrap_u8() != 1 {
    return Ok(false);
}

[johntmyers]

Security triage determination: No-go (very low practical exploitability).

The comparison style is technically non-constant-time, but practical exploitation here is highly constrained by handshake timestamp checks, nonce replay protection, and the need for high-fidelity timing signals over the network path. This is not a realistic attack on core infrastructure in the current model.

Reasonable micro-hardening candidate, but not actionable as a security incident.