archive
/
poidsy
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
Browse Source

Change signature verification algorithm to prevent timing attacks 

See http://emerose.com/timing-attacks-explained
master
Chris Smith 14 years ago
parent
f2195c74dc
commit
57ebc96e82
1 changed files with 5 additions and 4 deletions
Split View Show Diff Stats
  1. 5
    4
      keymanager.inc.php

+ 5
- 4
keymanager.inc.php View File 

@@ -249,11 +249,12 @@
249 249
250 250 
    $sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));
251 251
252 
-   if ($sig == $args['openid_sig']) {
253 
-    return true;
254 
-   } else {
255 
-    return false;
252 
+   // Manually compare characters to prevent timing attacks
253 
+   $res = strlen($sig) == strlen($args['openid_sig']);
254 
+   for ($i = 0; $i < strlen($sig); $i++) {
255 
+    $res &= $sig[$i] == $args['openid_sig'][$i];
256 256 
    }
257 
+   return $res;
257 258 
   }
258 259
259 260 
   /**

Write Preview
Loading…
Cancel
Save