octoleo/phpseclib
1
0
Fork 0
mirror of https://github.com/phpseclib/phpseclib.git synced 2025-01-15 03:03:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.0'

Browse Source
This commit is contained in:
terrafrost 2019-03-23 20:22:34 -05:00
commit 34e065fec8
3 changed files with 5 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
phpseclib/Common/Functions/Strings.php
View File

@ -60,35 +60,6 @@ abstract class Strings
return $substr; return $substr;
} }
/**
* Performs blinded equality testing on strings
*
* Protects against a particular type of timing attack described.
*
* See {@link http://codahale.com/a-lesson-in-timing-attacks/ A Lesson In Timing Attacks (or, Don't use MessageDigest.isEquals)}
*
* Thanks for the heads up singpolyma!
*
* @access public
* @param string $x
* @param string $y
* @return bool
*/
public static function equals($x, $y)
{
if (strlen($x) != strlen($y)) {
return false;
}
$result = "\0";
$x^= $y;
for ($i = 0; $i < strlen($x); $i++) {
$result|= $x[$i];
}
return $result === "\0";
}
/** /**
* Parse SSH2-style string * Parse SSH2-style string
* *

2
phpseclib/Crypt/Common/Keys/PuTTY.php
View File

@ -155,7 +155,7 @@ abstract class PuTTY
$hmac = trim(preg_replace('#Private-MAC: (.+)#', '$1', $key[$publicLength + $privateLength + 5])); $hmac = trim(preg_replace('#Private-MAC: (.+)#', '$1', $key[$publicLength + $privateLength + 5]));
$hmac = Hex::decode($hmac); $hmac = Hex::decode($hmac);
if (!Strings::equals($hash->hash($source), $hmac)) { if (!hash_equals($hash->hash($source), $hmac)) {
throw new \UnexpectedValueException('MAC validation error'); throw new \UnexpectedValueException('MAC validation error');
} }

8
phpseclib/Crypt/RSA.php
View File

@ -1236,7 +1236,7 @@ class RSA extends AsymmetricKey
$db = $maskedDB ^ $dbMask; $db = $maskedDB ^ $dbMask;
$lHash2 = substr($db, 0, $this->hLen); $lHash2 = substr($db, 0, $this->hLen);
$m = substr($db, $this->hLen); $m = substr($db, $this->hLen);
$hashesMatch = Strings::equals($lHash, $lHash2); $hashesMatch = hash_equals($lHash, $lHash2);
$leadingZeros = 1; $leadingZeros = 1;
$patternMatch = 0; $patternMatch = 0;
$offset = 0; $offset = 0;
@ -1463,7 +1463,7 @@ class RSA extends AsymmetricKey
$salt = substr($db, $temp + 1); // should be $sLen long $salt = substr($db, $temp + 1); // should be $sLen long
$m2 = "\0\0\0\0\0\0\0\0" . $mHash . $salt; $m2 = "\0\0\0\0\0\0\0\0" . $mHash . $salt;
$h2 = $this->hash->hash($m2); $h2 = $this->hash->hash($m2);
return Strings::equals($h, $h2); return hash_equals($h, $h2);
} }
/** /**
@ -1657,7 +1657,7 @@ class RSA extends AsymmetricKey
} }
// Compare // Compare
return Strings::equals($em, $em2); return hash_equals($em, $em2);
} }
/** /**
@ -1747,7 +1747,7 @@ class RSA extends AsymmetricKey
$em = $hash->hash($m); $em = $hash->hash($m);
$em2 = $decoded['digest']; $em2 = $decoded['digest'];
return Strings::equals($em, $em2); return hash_equals($em, $em2);
} }
/** /**