[CXX-657] Use constant-time hash comparison functions Created: 27/Aug/15 Updated: 06/Dec/15 Resolved: 16/Nov/15 |
|
| Status: | Closed |
| Project: | C++ Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | legacy-1.1.0-rc0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Rathi Gnanasekaran | Assignee: | Andrew Morrow (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | legacy-cxx | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Epic Link: | Legacy C++ Driver MongoDB 3.2 | ||||||||
| Comments |
| Comment by Githook User [ 06/Dec/15 ] | ||||||
|
Author: {u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@mongodb.com'}Message: Cherry-picked from server commit | ||||||
| Comment by Andrew Morrow (Inactive) [ 16/Nov/15 ] | ||||||
| Comment by Mark Benvenuto [ 19/Oct/15 ] | ||||||
|
Here are the places to fix: https://github.com/mongodb/mongo/blob/master/src/mongo/crypto/mechanism_scram.cpp#L225 I agree we need to make the change to the server first, and follow your backport plan. I want to use the same code as the C driver, and will follow up with legal. My final proposed function will be something like this:
| ||||||
| Comment by Mark Benvenuto [ 15/Oct/15 ] | ||||||
|
This means write a function as such:
The goal is to always walk the entire input for say parameter 1, and avoid short-circuit logic that hints when data is different. This can be a little tricky to write correctly, but worth doing. |