Skip to content
This repository has been archived by the owner on Jan 29, 2020. It is now read-only.

Commit

Permalink
Merge branch 'EvanDotPro-hotfix/zend-auth-duplicate-code'
Browse files Browse the repository at this point in the history
  • Loading branch information
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 47 deletions.
25 changes: 2 additions & 23 deletions src/Adapter/Digest.php
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

use Zend\Authentication\Result as AuthenticationResult;
use Zend\Stdlib\ErrorHandler;
use Zend\Crypt\Utils as CryptUtils;

class Digest extends AbstractAdapter
{
Expand Down Expand Up @@ -178,7 +179,7 @@ public function authenticate()
break;
}
if (substr($line, 0, $idLength) === $id) {
if ($this->_secureStringCompare(substr($line, -32), md5("$this->identity:$this->realm:$this->credential"))) {
if (CryptUtils::compareStrings(substr($line, -32), md5("$this->identity:$this->realm:$this->credential"))) {
$result['code'] = AuthenticationResult::SUCCESS;
} else {
$result['code'] = AuthenticationResult::FAILURE_CREDENTIAL_INVALID;
Expand All @@ -192,26 +193,4 @@ public function authenticate()
$result['messages'][] = "Username '$this->identity' and realm '$this->realm' combination not found";
return new AuthenticationResult($result['code'], $result['identity'], $result['messages']);
}

/**
* Securely compare two strings for equality while avoided C level memcmp()
* optimisations capable of leaking timing information useful to an attacker
* attempting to iteratively guess the unknown string (e.g. password) being
* compared against.
*
* @param string $a
* @param string $b
* @return bool
*/
protected function _secureStringCompare($a, $b)
{
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for ($i = 0, $len = strlen($a); $i < $len; $i++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
}
27 changes: 3 additions & 24 deletions src/Adapter/Http.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use Zend\Http\Request as HTTPRequest;
use Zend\Http\Response as HTTPResponse;
use Zend\Uri\UriFactory;
use Zend\Crypt\Utils as CryptUtils;

/**
* HTTP Authentication Adapter
Expand Down Expand Up @@ -489,7 +490,7 @@ protected function _basicAuth($header)

if (!$result instanceof Authentication\Result
&& !is_array($result)
&& $this->_secureStringCompare($result, $creds[1])
&& CryptUtils::compareStrings($result, $creds[1])
) {
$identity = array('username' => $creds[0], 'realm' => $this->realm);
return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
Expand Down Expand Up @@ -582,7 +583,7 @@ protected function _digestAuth($header)

// If our digest matches the client's let them in, otherwise return
// a 401 code and exit to prevent access to the protected resource.
if ($this->_secureStringCompare($digest, $data['response'])) {
if (CryptUtils::compareStrings($digest, $data['response'])) {
$identity = array('username' => $data['username'], 'realm' => $data['realm']);
return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
}
Expand Down Expand Up @@ -798,26 +799,4 @@ protected function _parseDigestAuth($header)

return $data;
}

/**
* Securely compare two strings for equality while avoided C level memcmp()
* optimisations capable of leaking timing information useful to an attacker
* attempting to iteratively guess the unknown string (e.g. password) being
* compared against.
*
* @param string $a
* @param string $b
* @return bool
*/
protected function _secureStringCompare($a, $b)
{
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for ($i = 0, $len = strlen($a); $i < $len; $i++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
}

0 comments on commit 1528233

Please sign in to comment.