From e108b615c259a1f283b6f0b0432e832eec9c6cca Mon Sep 17 00:00:00 2001 From: Malcolm Fell Date: Tue, 6 Sep 2016 08:21:52 +1200 Subject: [PATCH] Use timing-safe hash comparision --- src/Encryption/Symmetric.php | 40 +++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/src/Encryption/Symmetric.php b/src/Encryption/Symmetric.php index 4c2c668..da1c4cf 100644 --- a/src/Encryption/Symmetric.php +++ b/src/Encryption/Symmetric.php @@ -56,6 +56,44 @@ public function encrypt($value) */ public function verify($value, $signature) { - return $this->algorithm->compute($value) === $signature; + $computedValue = $this->algorithm->compute($value); + + return $this->timingSafeEquals($signature, $computedValue); + } + + /** + * A timing safe equals comparison. + * + * @see http://blog.ircmaxell.com/2014/11/its-all-about-time.html + * + * @param string $safe The internal (safe) value to be checked + * @param string $user The user submitted (unsafe) value + * + * @return boolean True if the two strings are identical. + */ + public function timingSafeEquals($safe, $user) + { + if (function_exists('hash_equals')) { + return hash_equals($user, $safe); + } + + $safeLen = strlen($safe); + $userLen = strlen($user); + + /* + * In general, it's not possible to prevent length leaks. So it's OK to leak the length. + * @see http://security.stackexchange.com/questions/49849/timing-safe-string-comparison-avoiding-length-leak + */ + if ($userLen != $safeLen) { + return false; + } + + $result = 0; + + for ($i = 0; $i < $userLen; $i++) { + $result |= (ord($safe[$i]) ^ ord($user[$i])); + } + + return $result === 0; } }