|
@@ -249,11 +249,12 @@
|
249
|
249
|
|
250
|
250
|
$sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));
|
251
|
251
|
|
252
|
|
- if ($sig == $args['openid_sig']) {
|
253
|
|
- return true;
|
254
|
|
- } else {
|
255
|
|
- return false;
|
|
252
|
+ // Manually compare characters to prevent timing attacks
|
|
253
|
+ $res = strlen($sig) == strlen($args['openid_sig']);
|
|
254
|
+ for ($i = 0; $i < strlen($sig); $i++) {
|
|
255
|
+ $res &= $sig[$i] == $args['openid_sig'][$i];
|
256
|
256
|
}
|
|
257
|
+ return $res;
|
257
|
258
|
}
|
258
|
259
|
|
259
|
260
|
/**
|