fix timing vulnerability.

michaelliao · Jul 15, 2010 · c9baaa9 · c9baaa9
1 parent 84a8729
commit c9baaa9
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/JOpenId/src/org/expressme/openid/OpenIdManager.java b/JOpenId/src/org/expressme/openid/OpenIdManager.java
@@ -110,9 +110,9 @@ public Authentication getAuthentication(HttpServletRequest request, byte[] key,
             sb.append('\n');
         }
         String hmac = getHmacSha1(sb.toString(), key);
-        if (!sig.equals(hmac))
+        if (!safeEquals(sig, hmac))
             throw new OpenIdException("Verify signature failed.");
-        
+
         // set auth:
         Authentication auth = new Authentication();
         auth.setIdentity(identity);
@@ -125,6 +125,18 @@ public Authentication getAuthentication(HttpServletRequest request, byte[] key,
         return auth;
     }
 
+    boolean safeEquals(String s1, String s2) {
+        if (s1.length()!=s2.length())
+            return false;
+        int result = 0;
+        for (int i=0; i<s1.length(); i++) {
+            int c1 = s1.charAt(i);
+            int c2 = s2.charAt(i);
+            result |= (c1 ^c2);
+        }
+        return result==0;
+    }
+
     String getLastname (HttpServletRequest request, String axa) {
     	String name = request.getParameter("openid." + axa + ".value.lastname");
     	// If lastname is not supported try to get it from the fullname