Uploaded image for project: 'Ruby Driver'
  1. Ruby Driver
  2. RUBY-999

Use appropriate hash comparators for sensitive functions

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.1.0
    • Affects Version/s: None
    • Component/s: None
    • None

      The Ruby driver currently does a direct comparison to the server signature returned by the server in SCRAM-SHA-1. Best practice is to use a constant time comparison function. See here:

      http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/PKCS5.html#module-OpenSSL::PKCS5-label-Important+Note+on+Checking+Passwords

            Assignee:
            durran.jordan@mongodb.com Durran Jordan
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: