diff options
| author | Chris Raynor <chris@firebase.com> | 2014-09-09 18:40:58 -0700 |
|---|---|---|
| committer | Chris Raynor <chris@firebase.com> | 2014-09-09 18:40:58 -0700 |
| commit | fd7ac4467ebac30bc9b40f451b7b7ef6c08676c1 (patch) | |
| tree | 508c1a3e3a0c23463a55b00e3307228e7ad0904e | |
| parent | 9e5ae039440bc0806ba85ab887ab9701b5e55ffb (diff) | |
| download | php-jwt-fd7ac4467ebac30bc9b40f451b7b7ef6c08676c1.zip php-jwt-fd7ac4467ebac30bc9b40f451b7b7ef6c08676c1.tar.gz php-jwt-fd7ac4467ebac30bc9b40f451b7b7ef6c08676c1.tar.bz2 | |
Switching to a constant-time string comparison in the verify method
| -rw-r--r-- | Authentication/JWT.php | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 38a4f7e..90c1ac7 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -157,7 +157,16 @@ class JWT } case 'hash_hmac': default: - return $signature === hash_hmac($algo, $msg, $key, true); + $hash = hash_hmac($algo, $msg, $key, true); + $len = min(strlen($signature), strlen($hash)); + + $status = 0; + for ($i = 0; $i < $len; $i++) { + $status |= (ord($signature[$i]) ^ ord($hash[$i])); + } + $status |= (strlen($signature) ^ strlen($hash)); + + return ($status === 0); } } |