diff options
| author | Carl Howells <chowells@janrain.com> | 2010-07-20 02:23:13 +0800 |
|---|---|---|
| committer | lillialexis <lillialexis@gmail.com> | 2010-07-20 02:45:05 +0800 |
| commit | 8265a62399afa4a13959c47d98c30aa5425e1b0b (patch) | |
| tree | 89aa42f1ac796326c5da3cad81c0e9da154b1cfb /Auth/OpenID | |
| parent | e438f8817b61e8da47002264c1e5e6e55a90c10c (diff) | |
| download | php-openid-8265a62399afa4a13959c47d98c30aa5425e1b0b.zip php-openid-8265a62399afa4a13959c47d98c30aa5425e1b0b.tar.gz php-openid-8265a62399afa4a13959c47d98c30aa5425e1b0b.tar.bz2 | |
Use constant-time comparison of signatures to mitigate timing attacks
Diffstat (limited to 'Auth/OpenID')
| -rw-r--r-- | Auth/OpenID/Association.php | 2 | ||||
| -rw-r--r-- | Auth/OpenID/CryptUtil.php | 14 |
2 files changed, 15 insertions, 1 deletions
diff --git a/Auth/OpenID/Association.php b/Auth/OpenID/Association.php index d1ac1ed..2729138 100644 --- a/Auth/OpenID/Association.php +++ b/Auth/OpenID/Association.php @@ -374,7 +374,7 @@ class Auth_OpenID_Association { } $calculated_sig = $this->getMessageSignature($message); - return $calculated_sig == $sig; + return Auth_OpenID_CryptUtil::constEq($calculated_sig, $sig); } } diff --git a/Auth/OpenID/CryptUtil.php b/Auth/OpenID/CryptUtil.php index a926267..3c60cea 100644 --- a/Auth/OpenID/CryptUtil.php +++ b/Auth/OpenID/CryptUtil.php @@ -104,5 +104,19 @@ class Auth_OpenID_CryptUtil { return $str; } + + static function constEq($s1, $s2) + { + if (strlen($s1) != strlen($s2)) { + return false; + } + + $result = true; + $length = strlen($s1); + for ($i = 0; $i < $length; $i++) { + $result &= ($s1[$i] == $s2[$i]); + } + return $result; + } } |