implement constant time password compare for Basic auth

François Kooman · François Kooman · commit 4be03edbc80b · 2017-02-17T14:01:02.000+01:00
diff --git a/composer.json b/composer.json
@@ -21,6 +21,7 @@
         "ext-pcre": "*",
         "ext-pdo": "*",
         "ext-spl": "*",
-        "php": ">=5.4"
+        "php": ">=5.4",
+        "symfony/polyfill-php56": "^1.3"
     }
 }
diff --git a/composer.lock b/composer.lock
diff --git a/src/Rest/Plugin/BasicAuthentication.php b/src/Rest/Plugin/BasicAuthentication.php
@@ -48,7 +48,7 @@ public function execute(Request $request)
         $requestBasicAuthUser = $request->getBasicAuthUser();
         $requestBasicAuthPass = $request->getBasicAuthPass();
 
-        if ($this->basicAuthUser !== $requestBasicAuthUser || $this->basicAuthPass !== $requestBasicAuthPass) {
+        if ($this->basicAuthUser !== $requestBasicAuthUser || !$this->checkPassword($this->basicAuthPass, $requestBasicAuthPass)) {
             $response = new JsonResponse(401);
             $response->setHeader(
                 'WWW-Authenticate',
@@ -66,4 +66,16 @@ public function execute(Request $request)
 
         return true;
     }
+
+    /**
+     * @param string $knownString the expected password
+     * @param string $userString  the (user) provided password
+     *
+     * @return bool
+     */
+    private function checkPassword($knownString, $userString)
+    {
+        // constant time string compare
+        return hash_equals($knownString, $userString);
+    }
 }
