diff options
| author | Chris Raynor <chris@firebase.com> | 2014-09-09 18:49:07 -0700 |
|---|---|---|
| committer | Chris Raynor <chris@firebase.com> | 2014-09-09 18:49:07 -0700 |
| commit | 6e4b99948f79622aad86101c4baeb744d14d5946 (patch) | |
| tree | d4127bda71166f4066f0d426905f41ebb5666c0f | |
| parent | 9e5ae039440bc0806ba85ab887ab9701b5e55ffb (diff) | |
| parent | 988e10242929026afd6fcb8bf73013fd76543af4 (diff) | |
| download | php-jwt-6e4b99948f79622aad86101c4baeb744d14d5946.zip php-jwt-6e4b99948f79622aad86101c4baeb744d14d5946.tar.gz php-jwt-6e4b99948f79622aad86101c4baeb744d14d5946.tar.bz2 | |
Merge pull request #17 from firebase/constant-time
Constant time string comparison function in verify method
| -rw-r--r-- | Authentication/JWT.php | 11 | ||||
| -rw-r--r-- | tests/JWTTest.php | 9 |
2 files changed, 19 insertions, 1 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 38a4f7e..90c1ac7 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -157,7 +157,16 @@ class JWT } case 'hash_hmac': default: - return $signature === hash_hmac($algo, $msg, $key, true); + $hash = hash_hmac($algo, $msg, $key, true); + $len = min(strlen($signature), strlen($hash)); + + $status = 0; + for ($i = 0; $i < $len; $i++) { + $status |= (ord($signature[$i]) ^ ord($hash[$i])); + } + $status |= (strlen($signature) ^ strlen($hash)); + + return ($status === 0); } } diff --git a/tests/JWTTest.php b/tests/JWTTest.php index ee131d4..2149862 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -47,6 +47,15 @@ class JWTTest extends PHPUnit_Framework_TestCase { $this->assertEquals($decoded->message, 'abc'); } + function testInvalidToken() { + $payload = array( + "message" => "abc", + "exp" => time() + 20); // time in the future + $encoded = JWT::encode($payload, 'my_key'); + $this->setExpectedException('UnexpectedValueException'); + $decoded = JWT::decode($encoded, 'my_key2'); + } + function testRSEncodeDecode() { $privKey = openssl_pkey_new(array('digest_alg' => 'sha256', 'private_key_bits' => 1024, |