Constant time for wp_verify_nonce().

Built from https://develop.svn.wordpress.org/trunk@29382


git-svn-id: http://core.svn.wordpress.org/trunk@29160 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Nacin 2014-08-06 05:26:16 +00:00
parent 444a25b375
commit 7d672c38a4
2 changed files with 34 additions and 3 deletions

View File

@ -94,3 +94,32 @@ if ( !function_exists('json_decode') ) {
return is_array($data) ? array_map(__FUNCTION__, $data) : $data;
}
}
if ( ! function_exists( 'hash_equals' ) ) :
/**
* Compare two strings in constant time.
*
* This function was added in PHP 5.6.
* It can leak the length of a string.
*
* @since 3.9.2
*
* @param string $a Expected string.
* @param string $b Actual string.
* @return bool Whether strings are equal.
*/
function hash_equals( $a, $b ) {
$a_length = strlen( $a );
if ( $a_length !== strlen( $b ) ) {
return false;
}
$result = 0;
// Do not attempt to "optimize" this.
for ( $i = 0; $i < $a_length; $i++ ) {
$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
}
return $result === 0;
}
endif;

View File

@ -671,7 +671,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
$hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
if ( hash_hmac( 'sha256', $hmac, $key ) !== hash_hmac( 'sha256', $hash, $key ) ) {
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
@ -1711,12 +1711,14 @@ function wp_verify_nonce($nonce, $action = -1) {
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
if ( $nonce === substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ) ) {
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 1;
}
// Nonce generated 12-24 hours ago
if ( $nonce === substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ) ) {
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 2;
}