fixed vulnerable of timing attack

README.ja.md

@@ -35,12 +35,6 @@ Play2.2.1 で動作確認をしています。
 柔軟に他の操作を組み合わせて使用することができます。
 
 
-以前のバージョン
----------------------------------------
-
-Play2.1.x 向けの使用方法は [0.10.1 README](https://github.com/t2v/play2-auth/blob/release0.10.1/README.ja.md)をご参照ください。
-Play2.0.x 向けの使用方法は [0.7 README](https://github.com/t2v/play2-auth/blob/release0.7/README.ja.md)をご参照ください。
-
 Play2.1以前をお使いの方へ
 ---------------------------------------
 
@@ -53,15 +47,15 @@ Play2.1以前をお使いの方へ
 
 `Build.scala` もしくは `build.sbt` にライブラリ依存性定義を追加します。
 
-  "jp.t2v" %% "play2-auth" % "0.11.0",
-  "jp.t2v" %% "play2-auth-test" % "0.11.0" % "test"
+  "jp.t2v" %% "play2-auth" % "0.11.1",
+  "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test"
 
 For example: `Build.scala`
 
 ```scala
  val appDependencies = Seq(
- "jp.t2v" %% "play2-auth" % "0.11.0-SNAPSHT",
- "jp.t2v" %% "play2-auth-test" % "0.11.0-SNAPSHT" % "test"
+ "jp.t2v" %% "play2-auth" % "0.11.1",
+ "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test"
  )
 ```
 

README.md

@@ -34,14 +34,6 @@ Play2x-Auth provides an interface that returns an [`Either[PlainResult, User]`](
 making writing complicated action methods easier. [`Either`](http:https://www.scala-lang.org/api/current/scala/util/Either.html) is a wrapper similar to `Option`
 
 
-Previous Version
----------------------------------------
-
-for Play2.1.x, Please see [previous version 0.10.1 README](https://github.com/t2v/play2-auth/tree/release0.10.1)
-
-for Play2.0.x, Please see [previous version 0.7 README](https://github.com/t2v/play2-auth/tree/release0.7)
-
-
 Attention
 ---------------------------------------
 
@@ -55,15 +47,15 @@ Add dependency declarations into your `Build.scala` or `build.sbt` file:
 
 * __for Play2.2.x__
 
-  "jp.t2v" %% "play2-auth" % "0.11.0",
-  "jp.t2v" %% "play2-auth-test" % "0.11.0" % "test"
+  "jp.t2v" %% "play2-auth" % "0.11.1",
+  "jp.t2v" %% "play2-auth-test" % "0.11.1" % "test"
 
 For example your `Build.scala` might look like this:
 
 ```scala
  val appDependencies = Seq(
- "jp.t2v" %% "play2-auth" % "0.11.0",
- "jp.t2v" %% "play2-auth.test" % "0.11.0" % "test"
+ "jp.t2v" %% "play2-auth" % "0.11.1",
+ "jp.t2v" %% "play2-auth.test" % "0.11.1" % "test"
  )
 ```
 

module/src/main/scala/jp/t2v/lab/play2/auth/CookieUtil.scala

@@ -8,7 +8,22 @@ trait CookieUtil {
 
  def verifyHmac(cookie: Cookie): Option[String] = {
  val (hmac, value) = cookie.value.splitAt(40)
- if (Crypto.sign(value) == hmac) Some(value) else None
+ if (safeEquals(Crypto.sign(value), hmac)) Some(value) else None
+ }
+
+ // Do not change this unless you understand the security issues behind timing attacks.
+ // This method intentionally runs in constant time if the two strings have the same length.
+ // If it didn't, it would be vulnerable to a timing attack.
+ protected def safeEquals(a: String, b: String) = {
+ if (a.length != b.length) {
+ false
+ } else {
+ var equal = 0
+ for (i <- Array.range(0, a.length)) {
+ equal |= a(i) ^ b(i)
+ }
+ equal == 0
+ }
  }
 
 }

project/Build.scala

@@ -9,7 +9,7 @@ object ApplicationBuild extends Build {
  val playVersion = "2.2.0"
 
  lazy val baseSettings = Seq(
- version := "0.11.0",
+ version := "0.11.1",
  scalaVersion := "2.10.3",
  scalaBinaryVersion := "2.10",
  organization := "jp.t2v",