[DRIVERS-255] Use constant-time hash comparison functions Created: 10/Aug/15  Updated: 15/May/19  Resolved: 21/Jun/16

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Bernie Hackett Assignee: Barrie Segal
Resolution: Done Votes: 0
Labels: newdriver
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on RUST-11 Use constant-time hash comparison fun... Closed
depends on CDRIVER-815 Use constant-time hash comparison fun... Closed
depends on CSHARP-1389 Use constant-time hash comparison fun... Closed
depends on CXX-657 Use constant-time hash comparison fun... Closed
depends on JAVA-1942 Use constant-time hash comparison fun... Closed
depends on PHPC-406 Use constant-time hash comparison fun... Closed
depends on PYTHON-974 Use appropriate hash comparators for ... Closed
depends on RUBY-999 Use appropriate hash comparators for ... Closed
depends on RUBY-1010 Use constant-time hash comparison fun... Closed
Related
Driver Compliance:
Key Status/Resolution FixVersion
PYTHON-974 Done 2.9, 3.1
RUBY-999 Done 2.1.0
CSHARP-1389 Done 2.0.2, 2.1
SCALA-204 Done
CDRIVER-815 Done 1.3.0-beta0
CXX-657 Done legacy-1.1.0-rc0
JAVA-1942 Done 3.1.0
RUBY-1010 Duplicate 12_01_17
PHP-1478 Won't Fix
PERL-560 Done
PHPC-406 Done 1.1.0
RUST-11 Fixed 0.9.0-alpha
SWIFT-463 Done

 Description   

Most of our drivers include code similar to this at the end of their SCRAM-SHA-1 implementations:

if response['v'] != server_signature:
    throw "Server signature is invalid"

As a matter of general hygiene, this comparison should be done using a constant-time comparison function. Note that this is not a security vulnerability in any of our drivers, just the right thing to do. SCRAM-SHA-1 uses a per-auth attempt client generated nonce, which removes any information that could be inferred through a theoretical timing attack.

For higher level languages, there is likely a useful method in the standard library to do this. For example, in python:

https://docs.python.org/2/library/hmac.html#hmac.compare_digest

For C or C++, the implementation of python's compare_digest is instructive:

https://hg.python.org/releasing/2.7.9/file/tip/Modules/operator.c#l240



 Comments   
Comment by Andrew Morrow (Inactive) [ 19/Sep/15 ]

Validating for C++11 - we use the C drivers SCRAM implementation, so there is nothing for us to do other than trust C to get it right.

Generated at Thu Feb 08 08:21:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.