[JAVA-1942] Use constant-time hash comparison functions Created: 27/Aug/15  Updated: 07/Oct/15  Resolved: 04/Sep/15

Status: Closed
Project: Java Driver
Component/s: Authentication
Affects Version/s: None
Fix Version/s: 3.1.0

Type: Improvement Priority: Major - P3
Reporter: Rathi Gnanasekaran Assignee: Jeffrey Yemin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-255 Use constant-time hash comparison fun... Closed
Epic Link: MongoDB 3.2

 Description   

As of Java 6, Update 17, MessageDigest.isEqual is implemented with a constant time comparison function, so the driver can use that to compare the hashes for its SCRAM-SHA1 implementation instead of String.equals.



 Comments   
Comment by Jeffrey Yemin [ 07/Oct/15 ]

Released in 3.1.0

Comment by Githook User [ 04/Sep/15 ]

Author:

{u'username': u'jyemin', u'name': u'Jeff Yemin', u'email': u'jeff.yemin@10gen.com'}

Message: JAVA-1942: In order to guard against timing attacks, now using MessageDigest.isEqual for hash comparisons in the SCRAM-SHA1 implementation.
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/532f7b22791de54595ea4656d81554ee4d8548fa

Generated at Thu Feb 08 08:55:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.