Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dev.icinga.com #13993] Hash API password and use time constant password compares #4920

Closed
icinga-migration opened this issue Jan 13, 2017 · 0 comments
Closed

[dev.icinga.com #13993] Hash API password and use time constant password compares #4920

icinga-migration opened this issue Jan 13, 2017 · 0 comments
Labels
area/api REST API enhancement New feature or request

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/13993

Created by jflach on 2017-01-13 08:55:05 +00:00

Assignee: jflach
Status: Assigned
Target Version: (none)
Last Update: 2017-01-13 08:55:05 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

API user credentials are compared using the != operator on icinga::String which maps directly to the != operator of std::string which is not guaranteed to be constant time and thus is likely vulnerable to timing attacks.

An alternative to making the comparision time constant would be always save the API passwords hashed.
@icinga-migration icinga-migration added enhancement New feature or request area/api REST API labels Jan 17, 2017
Crunsher added a commit that referenced this issue Aug 29, 2017
@Crunsher
Add PBKDF2_SHA256 function
4d5bbc1 
refs #4920
Crunsher added a commit that referenced this issue Aug 29, 2017
@Crunsher
Add password_hash functionality to ApiUser
5abeea2 
refs #4920
Crunsher added a commit that referenced this issue Oct 27, 2017
@Crunsher
Hash API password and comparison
33a855f 
refs #4920
Crunsher added a commit that referenced this issue Nov 2, 2017
@Crunsher
Hash API password and comparison
2cd397b 
refs #4920
Crunsher added a commit that referenced this issue Nov 2, 2017
@Crunsher
Hash API password and comparison
0a29d40 
refs #4920
@Crunsher Crunsher mentioned this issue Nov 2, 2017
Merged
Crunsher added a commit that referenced this issue Dec 14, 2017
@Crunsher
Hash API password and comparison
d7016f3 
refs #4920
Crunsher added a commit that referenced this issue Dec 14, 2017
@Crunsher
Hash API password and comparison
f02ad93 
refs #4920
Crunsher added a commit that referenced this issue Dec 21, 2017
@Crunsher
Hash API password and comparison
bd27d67 
fixes #4920
Crunsher added a commit that referenced this issue Jan 30, 2018
@Crunsher
Hash API password and comparison
fd93181 
fixes #4920
Crunsher added a commit that referenced this issue Feb 23, 2018
@Crunsher
Hash API password and comparison
6504606 
fixes #4920
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api REST API enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crunsher @icinga-migration