Feature #79888

Constant-time password checking

Added by Christian Futterlieb over 2 years ago. Updated 12 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
Start date:
2017-02-18
Due date:
% Done:

100%

PHP Version:
Tags:
Complexity:
no-brainer
Sprint Focus:

Description

Replace all $knownPwassword == $givenPassword by either password_verify() (crypt()-based) or hash_equals() otherwise.


Related issues

Related to TYPO3 Core - Feature #79795: Improve saltedpasswords Closed 2017-12-12

Associated revisions

Revision 77f08248 (diff)
Added by Christian Futterlieb over 2 years ago

[TASK] Compare password hashes in constant time

In order to avoid time-based hash-based attacks, the native
PHP security functions are used instead of simple string
comparisons, when comparing passwords with hashes.

Change-Id: I0dbe2c12c5017f9d71ea7628ddd35d919510ac12
Releases: master
Resolves: #79888
Related: #79795
Reviewed-on: https://review.typo3.org/51737
Reviewed-by: Helmut Hummel <>
Tested-by: Helmut Hummel <>
Tested-by: TYPO3com <>
Reviewed-by: Mads L√łnne Jensen <>
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>

Revision 04810ae2 (diff)
Added by Christian Futterlieb over 2 years ago

[FOLLOWUP][TASK] Compare password hashes in constant time

Apply constant-time comparison to the fallback password checks as well.

Change-Id: I8d2aa6448c95266a45b2862f12f1a5d8259f4f0b
Releases: master
Resolves: #79888
Related: #79795
Reviewed-on: https://review.typo3.org/51853
Tested-by: TYPO3com <>
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>
Reviewed-by: Anja Leichsenring <>
Tested-by: Anja Leichsenring <>

History

#1 Updated by Gerrit Code Review over 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#2 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#3 Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#4 Updated by Gerrit Code Review over 2 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#5 Updated by Gerrit Code Review over 2 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#6 Updated by Gerrit Code Review over 2 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#7 Updated by Gerrit Code Review over 2 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#8 Updated by Gerrit Code Review over 2 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#9 Updated by Gerrit Code Review over 2 years ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#10 Updated by Gerrit Code Review over 2 years ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51737

#11 Updated by Riccardo De Contardi over 2 years ago

  • Target version changed from 8 LTS to 9.0

#12 Updated by Christian Futterlieb over 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#13 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51853

#14 Updated by Christian Futterlieb over 2 years ago

  • Status changed from Under Review to Resolved

#15 Updated by Benni Mack 12 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF