[FOLLOWUP][TASK] Compare password hashes in constant time 53/51853/2
authorChristian Futterlieb <christian@futterlieb.ch>
Sat, 25 Feb 2017 13:33:38 +0000 (14:33 +0100)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Sun, 26 Feb 2017 20:44:23 +0000 (21:44 +0100)
Apply constant-time comparison to the fallback password checks as well.

Change-Id: I8d2aa6448c95266a45b2862f12f1a5d8259f4f0b
Releases: master
Resolves: #79888
Related: #79795
Reviewed-on: https://review.typo3.org/51853
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php

index 0bb6bb8..4073da2 100644 (file)
@@ -135,13 +135,13 @@ class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
                     $this->authenticationFailed = true;
                 }
             } elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
-                $validPasswd = md5($password) === (string)$user['password'];
+                $validPasswd = \hash_equals(md5($password), (string)$user['password']);
                 // Skip further authentication methods
                 if (!$validPasswd) {
                     $this->authenticationFailed = true;
                 }
             } else {
-                $validPasswd = (string)$password !== '' && (string)$password === (string)$user['password'];
+                $validPasswd = (string)$password !== '' && \hash_equals((string)$user['password'], (string)$password);
             }
             // Should we store the new format value in DB?
             if ($validPasswd && (int)$this->extConf['updatePasswd']) {