<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:21:06 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-255] Use constant-time hash comparison functions</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-255</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;p&gt;Most of our drivers include code similar to this at the end of their SCRAM-SHA-1 implementations:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;if response[&apos;v&apos;] != server_signature:&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;    throw &quot;Server signature is invalid&quot;&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;As a matter of general hygiene, this comparison should be done using a constant-time comparison function. Note that this &lt;b&gt;is not&lt;/b&gt; a security vulnerability in any of our drivers, just the right thing to do. SCRAM-SHA-1 uses a per-auth attempt client generated nonce, which removes any information that could be inferred through a theoretical timing attack.&lt;/p&gt;

&lt;p&gt;For higher level languages, there is likely a useful method in the standard library to do this. For example, in python:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://docs.python.org/2/library/hmac.html#hmac.compare_digest&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.python.org/2/library/hmac.html#hmac.compare_digest&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;For C or C++, the implementation of python&apos;s compare_digest is instructive:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://hg.python.org/releasing/2.7.9/file/tip/Modules/operator.c#l240&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://hg.python.org/releasing/2.7.9/file/tip/Modules/operator.c#l240&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="224967">DRIVERS-255</key>
            <summary>Use constant-time hash comparison functions</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="barrie">Barrie Segal</assignee>
                                    <reporter username="bernie@mongodb.com">Bernie Hackett</reporter>
                        <labels>
                            <label>newdriver</label>
                    </labels>
                <created>Mon, 10 Aug 2015 21:01:43 +0000</created>
                <updated>Wed, 15 May 2019 17:12:21 +0000</updated>
                            <resolved>Tue, 21 Jun 2016 18:34:33 +0000</resolved>
                                                                            <votes>0</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="1037566" author="acm" created="Sat, 19 Sep 2015 13:40:07 +0000"  >&lt;p&gt;Validating for C++11 - we use the C drivers SCRAM implementation, so there is nothing for us to do other than trust C to get it right.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="668370">RUST-11</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="227356">CDRIVER-815</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="227355">CSHARP-1389</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="227354">CXX-657</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="227357">JAVA-1942</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="228221">PHPC-406</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="225790">PYTHON-974</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="225819">RUBY-999</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="227362">RUBY-1010</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_23952" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Driver Compliance</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<style type='text/css'>
         #scriptField, #scriptField *{
                border: 1px solid black;
            }

            #scriptField{
                border-collapse: collapse;
            }

            #scriptField td {
                text-align: center; /* Center-align text in table cells */
            }

            #scriptField td.key {
                text-align: left; /* Left-align text in the Key column */
            }

            #scriptField a {
                text-decoration: none; /* Remove underlines from links */
                border: none; /* Remove border from links */
            }
            
            /* Add green background color to cells with FixVersion */
            #scriptField td.hasFixVersion {
                background-color: #00FF00; /* Green color code */
            }

            /* Center-align the first row headers */
            #scriptField th {
                text-align: center;
            }
        </style>
<table id='scriptField'>
  <tr>
    <th>Key</th>
    <th>Status/Resolution</th>
    <th>FixVersion</th>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PYTHON-974'>PYTHON-974</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>2.9, 3.1</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/RUBY-999'>RUBY-999</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>2.1.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/CSHARP-1389'>CSHARP-1389</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>2.0.2, 2.1</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/SCALA-204'>SCALA-204</a>
    </td>
    <td>Done</td>
    <td class=''></td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/CDRIVER-815'>CDRIVER-815</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>1.3.0-beta0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/CXX-657'>CXX-657</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>legacy-1.1.0-rc0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/JAVA-1942'>JAVA-1942</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>3.1.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/RUBY-1010'>RUBY-1010</a>
    </td>
    <td>Duplicate</td>
    <td class='hasFixVersion'>12_01_17</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PHP-1478'>PHP-1478</a>
    </td>
    <td>Won't Fix</td>
    <td class=''></td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PERL-560'>PERL-560</a>
    </td>
    <td>Done</td>
    <td class=''></td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PHPC-406'>PHPC-406</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>1.1.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/RUST-11'>RUST-11</a>
    </td>
    <td>Fixed</td>
    <td class='hasFixVersion'>0.9.0-alpha</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/SWIFT-463'>SWIFT-463</a>
    </td>
    <td>Done</td>
    <td class=''></td>
  </tr>
</table>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hscfvb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_11150" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>SERVER fixVersion</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="12551"><![CDATA[3.2]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    </customfields>
    </item>
</channel>
</rss>