Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-255

Use constant-time hash comparison functions

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Component/s: None

      Most of our drivers include code similar to this at the end of their SCRAM-SHA-1 implementations:

      if response['v'] != server_signature:
          throw "Server signature is invalid"
      

      As a matter of general hygiene, this comparison should be done using a constant-time comparison function. Note that this is not a security vulnerability in any of our drivers, just the right thing to do. SCRAM-SHA-1 uses a per-auth attempt client generated nonce, which removes any information that could be inferred through a theoretical timing attack.

      For higher level languages, there is likely a useful method in the standard library to do this. For example, in python:

      https://docs.python.org/2/library/hmac.html#hmac.compare_digest

      For C or C++, the implementation of python's compare_digest is instructive:

      https://hg.python.org/releasing/2.7.9/file/tip/Modules/operator.c#l240

            Assignee:
            barrie Barrie Segal
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: