From f5010994b9b921d799504a46a0f8d1817d656f5c Mon Sep 17 00:00:00 2001
From: Shashi Ranjan <shashi@mashape.com>
Date: Tue, 27 Oct 2015 18:13:53 -0700
Subject: [PATCH] hotfix(hmac-auth) constant time digest comparison

fix #655
---
 kong/plugins/hmac-auth/access.lua | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/kong/plugins/hmac-auth/access.lua b/kong/plugins/hmac-auth/access.lua
index 57d86796d0c8..22e1696dd644 100644
--- a/kong/plugins/hmac-auth/access.lua
+++ b/kong/plugins/hmac-auth/access.lua
@@ -81,10 +81,24 @@ local function create_hash(request, hmac_params, headers)
   return ngx_sha1(hmac_params.secret, signing_string)
 end
 
+local function is_digest_equal(digest_1, digest_2)
+  if #digest_1 ~= #digest_1 then
+    return false
+  end
+      
+  local result = true
+  for i=1, #digest_1 do
+    if digest_1:sub(i, i) ~= digest_2:sub(i, i) then
+      result = false
+    end  
+  end    
+  return result
+end    
+
 local function validate_signature(request, hmac_params, headers)
   local digest = create_hash(request, hmac_params, headers)
   if digest then
-    return digest == ngx_decode_base64(hmac_params.signature)
+   return is_digest_equal(digest, ngx_decode_base64(hmac_params.signature))
   end
 end