Skip to content

Commit

Permalink
hotfix(hmac-auth) constant time digest comparison
Browse files Browse the repository at this point in the history
fix #655
  • Loading branch information
Shashi Ranjan committed Nov 10, 2015
1 parent 6f211f2 commit f501099
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion kong/plugins/hmac-auth/access.lua
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,24 @@ local function create_hash(request, hmac_params, headers)
return ngx_sha1(hmac_params.secret, signing_string)
end

local function is_digest_equal(digest_1, digest_2)
if #digest_1 ~= #digest_1 then
return false
end

local result = true
for i=1, #digest_1 do
if digest_1:sub(i, i) ~= digest_2:sub(i, i) then
result = false
end
end
return result
end

local function validate_signature(request, hmac_params, headers)
local digest = create_hash(request, hmac_params, headers)
if digest then
return digest == ngx_decode_base64(hmac_params.signature)
return is_digest_equal(digest, ngx_decode_base64(hmac_params.signature))
end
end

Expand Down

0 comments on commit f501099

Please sign in to comment.