mirror of https://github.com/MISP/MISP
chg: [security] Mitigate timing attacks when comparing advanced auth keys hashes
parent
3c3cee7735
commit
c2553f4f66
|
@ -0,0 +1,12 @@
|
|||
<?php
|
||||
class BlowfishPasswordHasherConstant extends BlowfishPasswordHasher
|
||||
{
|
||||
/**
|
||||
* @param string $password
|
||||
* @param string $hashedPassword
|
||||
* @return bool
|
||||
*/
|
||||
public function check($password, $hashedPassword) {
|
||||
return hash_equals($hashedPassword, Security::hash($password, 'blowfish', $hashedPassword));
|
||||
}
|
||||
}
|
|
@ -2,6 +2,7 @@
|
|||
App::uses('AppModel', 'Model');
|
||||
App::uses('RandomTool', 'Tools');
|
||||
App::uses('CidrTool', 'Tools');
|
||||
App::uses('BlowfishPasswordHasherConstant', 'Tools');
|
||||
|
||||
/**
|
||||
* @property User $User
|
||||
|
@ -331,6 +332,6 @@ class AuthKey extends AppModel
|
|||
*/
|
||||
private function getHasher()
|
||||
{
|
||||
return new BlowfishPasswordHasher();
|
||||
return new BlowfishPasswordHasherConstant();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ App::uses('AuthComponent', 'Controller/Component');
|
|||
App::uses('RandomTool', 'Tools');
|
||||
App::uses('GpgTool', 'Tools');
|
||||
App::uses('SendEmail', 'Tools');
|
||||
App::uses('BlowfishPasswordHasherConstant', 'Tools');
|
||||
|
||||
/**
|
||||
* @property Log $Log
|
||||
|
@ -1007,7 +1008,7 @@ class User extends AppModel
|
|||
App::uses('SimplePasswordHasher', 'Controller/Component/Auth');
|
||||
$passwordHasher = new SimplePasswordHasher();
|
||||
} else {
|
||||
$passwordHasher = new BlowfishPasswordHasher();
|
||||
$passwordHasher = new BlowfishPasswordHasherConstant();
|
||||
}
|
||||
$hashed = $passwordHasher->check($password, $currentUser['User']['password']);
|
||||
return $hashed;
|
||||
|
|
Loading…
Reference in New Issue