From c4b546f41fef74f11509370bc5d4eb3ece76f44c Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Wed, 6 Aug 2014 05:42:16 +0000
Subject: [PATCH] Constant time for wp_verify_nonce().

Merges [29382] to the 3.9 branch.

Adds a second copy of hash_equals() to pluggable.php in case compat.php is not copied over in an update. (The general goal is no cross-file dependencies for minor releases.)

Built from https://develop.svn.wordpress.org/branches/3.9@29384


git-svn-id: http://core.svn.wordpress.org/branches/3.9@29162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/compat.php    | 29 ++++++++++++++++++++++++++
 wp-includes/pluggable.php | 44 ++++++++++++++++++++++++++++++++++++---
 2 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/wp-includes/compat.php b/wp-includes/compat.php
index cb2a5597c8..83a8c64652 100644
--- a/wp-includes/compat.php
+++ b/wp-includes/compat.php
@@ -94,3 +94,32 @@ if ( !function_exists('json_decode') ) {
 		return is_array($data) ? array_map(__FUNCTION__, $data) : $data;
 	}
 }
+
+if ( ! function_exists( 'hash_equals' ) ) :
+/**
+ * Compare two strings in constant time.
+ *
+ * This function was added in PHP 5.6.
+ * It can leak the length of a string.
+ *
+ * @since 3.9.2
+ *
+ * @param string $a Expected string.
+ * @param string $b Actual string.
+ * @return bool Whether strings are equal.
+ */
+function hash_equals( $a, $b ) {
+	$a_length = strlen( $a );
+	if ( $a_length !== strlen( $b ) ) {
+		return false;
+	}
+	$result = 0;
+
+	// Do not attempt to "optimize" this.
+	for ( $i = 0; $i < $a_length; $i++ ) {
+		$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
+	}
+
+	return $result === 0;
+}
+endif;
\ No newline at end of file
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index ef2821fb2a..d42b178459 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -647,7 +647,7 @@ function wp_validate_auth_cookie($cookie = '', $scheme = '') {
 	$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
 	$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
-	if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
+	if ( ! hash_equals( $hash, $hmac ) ) {
 		/**
 		 * Fires if a bad authentication cookie hash is encountered.
 		 *
@@ -1658,11 +1658,17 @@ function wp_verify_nonce($nonce, $action = -1) {
 	$i = wp_nonce_tick();
 
 	// Nonce generated 0-12 hours ago
-	if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
+	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
+	if ( hash_equals( $expected, $nonce ) ) {
 		return 1;
+	}
+
 	// Nonce generated 12-24 hours ago
-	if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
+	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
+	if ( hash_equals( $expected, $nonce ) ) {
 		return 2;
+	}
+
 	// Invalid nonce
 	return false;
 }
@@ -2200,3 +2206,35 @@ function wp_text_diff( $left_string, $right_string, $args = null ) {
 }
 endif;
 
+if ( ! function_exists( 'hash_equals' ) ) :
+/**
+ * Compare two strings in constant time.
+ *
+ * This function is NOT pluggable. It is in this file (in addition to
+ * compat.php) to prevent errors if, during an update, pluggable.php
+ * copies over but compat.php does not.
+ *
+ * This function was added in PHP 5.6.
+ * It can leak the length of a string.
+ *
+ * @since 3.9.2
+ *
+ * @param string $a Expected string.
+ * @param string $b Actual string.
+ * @return bool Whether strings are equal.
+ */
+function hash_equals( $a, $b ) {
+	$a_length = strlen( $a );
+	if ( $a_length !== strlen( $b ) ) {
+		return false;
+	}
+	$result = 0;
+
+	// Do not attempt to "optimize" this.
+	for ( $i = 0; $i < $a_length; $i++ ) {
+		$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
+	}
+
+	return $result === 0;
+}
+endif;