mirror of https://github.com/MISP/MISP
chg: [security] Mitigate timing attacks when comparing advanced auth keys hashes
parent
3c3cee7735
commit
c2553f4f66
|
@ -0,0 +1,12 @@
|
||||||
|
<?php
|
||||||
|
class BlowfishPasswordHasherConstant extends BlowfishPasswordHasher
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param string $password
|
||||||
|
* @param string $hashedPassword
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public function check($password, $hashedPassword) {
|
||||||
|
return hash_equals($hashedPassword, Security::hash($password, 'blowfish', $hashedPassword));
|
||||||
|
}
|
||||||
|
}
|
|
@ -2,6 +2,7 @@
|
||||||
App::uses('AppModel', 'Model');
|
App::uses('AppModel', 'Model');
|
||||||
App::uses('RandomTool', 'Tools');
|
App::uses('RandomTool', 'Tools');
|
||||||
App::uses('CidrTool', 'Tools');
|
App::uses('CidrTool', 'Tools');
|
||||||
|
App::uses('BlowfishPasswordHasherConstant', 'Tools');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @property User $User
|
* @property User $User
|
||||||
|
@ -331,6 +332,6 @@ class AuthKey extends AppModel
|
||||||
*/
|
*/
|
||||||
private function getHasher()
|
private function getHasher()
|
||||||
{
|
{
|
||||||
return new BlowfishPasswordHasher();
|
return new BlowfishPasswordHasherConstant();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ App::uses('AuthComponent', 'Controller/Component');
|
||||||
App::uses('RandomTool', 'Tools');
|
App::uses('RandomTool', 'Tools');
|
||||||
App::uses('GpgTool', 'Tools');
|
App::uses('GpgTool', 'Tools');
|
||||||
App::uses('SendEmail', 'Tools');
|
App::uses('SendEmail', 'Tools');
|
||||||
|
App::uses('BlowfishPasswordHasherConstant', 'Tools');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @property Log $Log
|
* @property Log $Log
|
||||||
|
@ -1007,7 +1008,7 @@ class User extends AppModel
|
||||||
App::uses('SimplePasswordHasher', 'Controller/Component/Auth');
|
App::uses('SimplePasswordHasher', 'Controller/Component/Auth');
|
||||||
$passwordHasher = new SimplePasswordHasher();
|
$passwordHasher = new SimplePasswordHasher();
|
||||||
} else {
|
} else {
|
||||||
$passwordHasher = new BlowfishPasswordHasher();
|
$passwordHasher = new BlowfishPasswordHasherConstant();
|
||||||
}
|
}
|
||||||
$hashed = $passwordHasher->check($password, $currentUser['User']['password']);
|
$hashed = $passwordHasher->check($password, $currentUser['User']['password']);
|
||||||
return $hashed;
|
return $hashed;
|
||||||
|
|
Loading…
Reference in New Issue