New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dev.icinga.com #13993] Hash API password and use time constant password compares #4920
Labels
Comments
Crunsher
added a commit
that referenced
this issue
Aug 29, 2017
Crunsher
added a commit
that referenced
this issue
Aug 29, 2017
Crunsher
added a commit
that referenced
this issue
Oct 27, 2017
Crunsher
added a commit
that referenced
this issue
Nov 2, 2017
Crunsher
added a commit
that referenced
this issue
Nov 2, 2017
Crunsher
added a commit
that referenced
this issue
Dec 14, 2017
Crunsher
added a commit
that referenced
this issue
Dec 14, 2017
Crunsher
added a commit
that referenced
this issue
Dec 21, 2017
Crunsher
added a commit
that referenced
this issue
Jan 30, 2018
Crunsher
added a commit
that referenced
this issue
Feb 23, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue has been migrated from Redmine: https://dev.icinga.com/issues/13993
Created by jflach on 2017-01-13 08:55:05 +00:00
Assignee: jflach
Status: Assigned
Target Version: (none)
Last Update: 2017-01-13 08:55:05 +00:00 (in Redmine)
API user credentials are compared using the != operator on icinga::String which maps directly to the != operator of std::string which is not guaranteed to be constant time and thus is likely vulnerable to timing attacks.
An alternative to making the comparision time constant would be always save the API passwords hashed.
The text was updated successfully, but these errors were encountered: