[TASK] Compare password hashes in constant time 37/51737/11
authorChristian Futterlieb <christian@futterlieb.ch>
Sat, 18 Feb 2017 10:51:07 +0000 (11:51 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Thu, 23 Feb 2017 17:21:42 +0000 (18:21 +0100)
commit77f082488154f5ae1aac9ad4da2c18e72149099b
tree027569dbf9e37fb61ce623ced01cd8e967fdbc31
parent2c5378c4fe1b05d296a034ba164ee569e8205875
[TASK] Compare password hashes in constant time

In order to avoid time-based hash-based attacks, the native
PHP security functions are used instead of simple string
comparisons, when comparing passwords with hashes.

Change-Id: I0dbe2c12c5017f9d71ea7628ddd35d919510ac12
Releases: master
Resolves: #79888
Related: #79795
Reviewed-on: https://review.typo3.org/51737
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mads L√łnne Jensen <mlj@systime.dk>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/saltedpasswords/Classes/Salt/Md5Salt.php
typo3/sysext/saltedpasswords/Classes/Salt/Pbkdf2Salt.php
typo3/sysext/saltedpasswords/Classes/Salt/PhpassSalt.php
typo3/sysext/saltedpasswords/Tests/Unit/Salt/BlowfishSaltTest.php
typo3/sysext/saltedpasswords/Tests/Unit/Salt/Md5SaltTest.php
typo3/sysext/saltedpasswords/Tests/Unit/Salt/Pbkdf2SaltTest.php
typo3/sysext/saltedpasswords/Tests/Unit/Salt/PhpassSaltTest.php