-
Type: Improvement
-
Resolution: Done
-
Priority: Minor - P4
-
None
-
Component/s: None
Most of our drivers include code similar to this at the end of their SCRAM-SHA-1 implementations:
if response['v'] != server_signature: throw "Server signature is invalid"
As a matter of general hygiene, this comparison should be done using a constant-time comparison function. Note that this is not a security vulnerability in any of our drivers, just the right thing to do. SCRAM-SHA-1 uses a per-auth attempt client generated nonce, which removes any information that could be inferred through a theoretical timing attack.
For higher level languages, there is likely a useful method in the standard library to do this. For example, in python:
https://docs.python.org/2/library/hmac.html#hmac.compare_digest
For C or C++, the implementation of python's compare_digest is instructive:
https://hg.python.org/releasing/2.7.9/file/tip/Modules/operator.c#l240
- depends on
-
RUST-11 Use constant-time hash comparison functions
- Closed
-
CDRIVER-815 Use constant-time hash comparison functions
- Closed
-
CSHARP-1389 Use constant-time hash comparison functions
- Closed
-
CXX-657 Use constant-time hash comparison functions
- Closed
-
JAVA-1942 Use constant-time hash comparison functions
- Closed
-
PHPC-406 Use constant-time hash comparison functions
- Closed
-
PYTHON-974 Use appropriate hash comparators for sensitive functions
- Closed
-
RUBY-999 Use appropriate hash comparators for sensitive functions
- Closed
-
RUBY-1010 Use constant-time hash comparison functions
- Closed