From 04810ae26a4b0a15abc195454a3e84a8117ce00a Mon Sep 17 00:00:00 2001
From: Christian Futterlieb <christian@futterlieb.ch>
Date: Sat, 25 Feb 2017 14:33:38 +0100
Subject: [PATCH] [FOLLOWUP][TASK] Compare password hashes in constant time
Apply constant-time comparison to the fallback password checks as well.
Change-Id: I8d2aa6448c95266a45b2862f12f1a5d8259f4f0b
Releases: master
Resolves: #79888
Related: #79795
Reviewed-on: https://review.typo3.org/51853
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
---
.../sysext/saltedpasswords/Classes/SaltedPasswordService.php | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
index 0bb6bb884c46..4073da2b6440 100644
--- a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
+++ b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
@@ -135,13 +135,13 @@ class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
$this->authenticationFailed = true;
}
} elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
- $validPasswd = md5($password) === (string)$user['password'];
+ $validPasswd = \hash_equals(md5($password), (string)$user['password']);
// Skip further authentication methods
if (!$validPasswd) {
$this->authenticationFailed = true;
}
} else {
- $validPasswd = (string)$password !== '' && (string)$password === (string)$user['password'];
+ $validPasswd = (string)$password !== '' && \hash_equals((string)$user['password'], (string)$password);
}
// Should we store the new format value in DB?
if ($validPasswd && (int)$this->extConf['updatePasswd']) {
--
GitLab