Skip to content

Commit

Permalink
Merge pull request #704 from Mashape/hotfix/hmac-constant-digest-compare
Browse files Browse the repository at this point in the history
[hotfix/hmac-auth] constant digest comparision
  • Loading branch information
thibaultcha committed Nov 10, 2015
2 parents aaf6474 + f501099 commit e85f762
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion kong/plugins/hmac-auth/access.lua
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,24 @@ local function create_hash(request, hmac_params, headers)
return ngx_sha1(hmac_params.secret, signing_string)
end

local function is_digest_equal(digest_1, digest_2)
if #digest_1 ~= #digest_1 then
return false
end

local result = true
for i=1, #digest_1 do
if digest_1:sub(i, i) ~= digest_2:sub(i, i) then
result = false
end
end
return result
end

local function validate_signature(request, hmac_params, headers)
local digest = create_hash(request, hmac_params, headers)
if digest then
return digest == ngx_decode_base64(hmac_params.signature)
return is_digest_equal(digest, ngx_decode_base64(hmac_params.signature))
end
end

Expand Down

0 comments on commit e85f762

Please sign in to comment.