Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Made HMAC verification a constant-time operation.

  • Loading branch information...
commit a36b5cae59e9c68e8ffb4c7901a7dc4ba91bd49a 1 parent 02662c7
@mehrdada mehrdada authored friism committed
Showing with 17 additions and 1 deletion.
  1. +17 −1 AppHarbor.Web.Security/KeyedHashValidation.cs
View
18 AppHarbor.Web.Security/KeyedHashValidation.cs
@@ -57,8 +57,24 @@ public override bool Validate(byte[] signedMessage)
private bool Validate(byte[] signedMessage, int dataLength)
{
+ bool isValid = true;
+ if (signedMessage.Length == 0)
+ {
+ return false;
+ }
var validSignature = ComputeSignature(signedMessage, 0, dataLength);
- return validSignature.SequenceEqual(signedMessage.Skip(dataLength));
+ for (int i = 0; i < validSignature.Length; i++)
+ {
+ if (i + dataLength >= signedMessage.Length)
+ {
+ isValid = false;
+ }
+ if (signedMessage[(i + dataLength) % signedMessage.Length] != validSignature[i])
+ {
+ isValid = false;
+ }
+ }
+ return isValid;
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.