Merge branch 'EvanDotPro-hotfix/zend-auth-duplicate-code' into develop

library/Zend/Authentication/Adapter/Digest.php

@@ -11,6 +11,7 @@
 
 use Zend\Authentication\Result as AuthenticationResult;
 use Zend\Stdlib\ErrorHandler;
+use Zend\Crypt\Utils as CryptUtils;
 
 class Digest extends AbstractAdapter
 {
@@ -178,7 +179,7 @@ public function authenticate()
                 break;
             }
             if (substr($line, 0, $idLength) === $id) {
-                if ($this->_secureStringCompare(substr($line, -32), md5("$this->identity:$this->realm:$this->credential"))) {
+                if (CryptUtils::compareStrings(substr($line, -32), md5("$this->identity:$this->realm:$this->credential"))) {
                     $result['code'] = AuthenticationResult::SUCCESS;
                 } else {
                     $result['code'] = AuthenticationResult::FAILURE_CREDENTIAL_INVALID;
@@ -192,26 +193,4 @@ public function authenticate()
         $result['messages'][] = "Username '$this->identity' and realm '$this->realm' combination not found";
         return new AuthenticationResult($result['code'], $result['identity'], $result['messages']);
     }
-
-    /**
-     * Securely compare two strings for equality while avoided C level memcmp()
-     * optimisations capable of leaking timing information useful to an attacker
-     * attempting to iteratively guess the unknown string (e.g. password) being
-     * compared against.
-     *
-     * @param string $a
-     * @param string $b
-     * @return bool
-     */
-    protected function _secureStringCompare($a, $b)
-    {
-        if (strlen($a) !== strlen($b)) {
-            return false;
-        }
-        $result = 0;
-        for ($i = 0, $len = strlen($a); $i < $len; $i++) {
-            $result |= ord($a[$i]) ^ ord($b[$i]);
-        }
-        return $result == 0;
-    }
 }

library/Zend/Authentication/Adapter/Http.php

@@ -13,6 +13,7 @@
 use Zend\Http\Request as HTTPRequest;
 use Zend\Http\Response as HTTPResponse;
 use Zend\Uri\UriFactory;
+use Zend\Crypt\Utils as CryptUtils;
 
 /**
  * HTTP Authentication Adapter
@@ -489,7 +490,7 @@ protected function _basicAuth($header)
 
         if (!$result instanceof Authentication\Result
             && !is_array($result)
-            && $this->_secureStringCompare($result, $creds[1])
+            && CryptUtils::compareStrings($result, $creds[1])
         ) {
             $identity = array('username' => $creds[0], 'realm' => $this->realm);
             return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
@@ -582,7 +583,7 @@ protected function _digestAuth($header)
 
         // If our digest matches the client's let them in, otherwise return
         // a 401 code and exit to prevent access to the protected resource.
-        if ($this->_secureStringCompare($digest, $data['response'])) {
+        if (CryptUtils::compareStrings($digest, $data['response'])) {
             $identity = array('username' => $data['username'], 'realm' => $data['realm']);
             return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
         }
@@ -798,26 +799,4 @@ protected function _parseDigestAuth($header)
 
         return $data;
     }
-
-    /**
-     * Securely compare two strings for equality while avoided C level memcmp()
-     * optimisations capable of leaking timing information useful to an attacker
-     * attempting to iteratively guess the unknown string (e.g. password) being
-     * compared against.
-     *
-     * @param string $a
-     * @param string $b
-     * @return bool
-     */
-    protected function _secureStringCompare($a, $b)
-    {
-        if (strlen($a) !== strlen($b)) {
-            return false;
-        }
-        $result = 0;
-        for ($i = 0, $len = strlen($a); $i < $len; $i++) {
-            $result |= ord($a[$i]) ^ ord($b[$i]);
-        }
-        return $result == 0;
-    }
 }

library/Zend/Authentication/composer.json

@@ -18,6 +18,7 @@
     },
     "suggest": {
         "zendframework/zend-db": "Zend\\Db component",
+        "zendframework/zend-crypt": "Zend\\Crypt component",
         "zendframework/zend-uri": "Zend\\Uri component",
         "zendframework/zend-session": "Zend\\Session component"
     },