Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff --git modules/openid/openid.inc modules/openid/openid.inc
- index 9223a4d..ba89a00 100644
- --- modules/openid/openid.inc
- +++ modules/openid/openid.inc
- @@ -443,3 +443,29 @@ if (!function_exists('bcpowmod')) {
- return $result;
- }
- }
- +
- +/**
- + * Compare two strings of equal length in constant time.
- + *
- + * @param $a
- + * String to compare with $b.
- + * @param $b
- + * String to compare with $a.
- + *
- + * @return
- + * TRUE if the strings are equal, FALSE otherwise.
- + *
- + */
- +function _openid_string_compare($a, $b) {
- + $alen = strlen($a);
- + if ($alen != strlen($b)) {
- + return FALSE;
- + }
- +
- + $result = 0;
- + for ($i = 0 ; $i < $alen; $i++) {
- + $result |= (ord($a[$i]) ^ ord($b[$i]));
- + }
- + return $result == 0;
- +}
- +
- diff --git modules/openid/openid.module modules/openid/openid.module
- index 9886487..34a45d5 100644
- --- modules/openid/openid.module
- +++ modules/openid/openid.module
- @@ -585,7 +611,7 @@ function openid_verify_assertion_signature($service, $association, $response) {
- return FALSE;
- }
- - return _openid_signature($association, $response, $keys_to_sign) == $response['openid.sig'];
- + return _openid_string_compare(_openid_signature($association, $response, $keys_to_sign), $response['openid.sig']);
- }
- /**
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement