Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #25689 [oidc-client] State comparison must be done in constant time
    Actions
    Infos
    #25689
    Manuel Vacelet (vaceletm)
    2022-03-31 09:58
    2022-03-07 10:21
    27222
    Details
    [oidc-client] State comparison must be done in constant time

    State comparison must be done in constant time https://github.com/wikimedia/mediawiki-extensions-TuleapIntegration/blob/67b5be8d7ba223214dc1214aaddf99d8f2764b51/src/Special/TuleapLogin.php#L78

    Mediawiki Standalone
    development
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Robert Vogel (rvogel)
    Stage
    Dejan Savuljesku (dsavuljesku)
    Closed
    2022-03-31
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-03-07 12:25

    Constant time means that the time needed to do the calculation is not dependent on the content of the inputs. Only the size of the inputs change change the time needed to do it.

    PHP does not compare string in constant time by default, it returns as soon as it finds a difference between the 2 strings. This means it might be possible to determine what the expected secret is, see timing attack. This is why it is a good practice to do such operations in constant time when manipulating secrets and/or doing crypto-related operations (at the very least it makes the whole process easier to audit).

    PHP has a function that allows to do string comparison in constant time, the misnamed hash_equals().