fixed vulnerable of timing attack

README.ja.md

@@ -36,10 +36,8 @@ Play2.4.2 で動作確認をしています。
 以前のバージョン
 ---------------------------------------
 
-Play2.3.x 向けの使用方法は [0.13.2 README](https://github.com/t2v/play2-auth/blob/release0.13.2/README.ja.md)をご参照ください。
-Play2.2.x 向けの使用方法は [0.11.0 README](https://github.com/t2v/play2-auth/blob/release0.11.0/README.ja.md)をご参照ください。
-Play2.1.x 向けの使用方法は [0.10.1 README](https://github.com/t2v/play2-auth/blob/release0.10.1/README.ja.md)をご参照ください。
-Play2.0.x 向けの使用方法は [0.7 README](https://github.com/t2v/play2-auth/blob/release0.7/README.ja.md)をご参照ください。
+Play2.3.x 向けの使用方法は [0.13.5 README](https://github.com/t2v/play2-auth/blob/release0.13.5/README.ja.md)をご参照ください。
+Play2.2.x 向けの使用方法は [0.11.1 README](https://github.com/t2v/play2-auth/blob/release0.11.1/README.ja.md)をご参照ください。
 
 Play2.1以前をお使いの方へ
 ---------------------------------------
@@ -53,18 +51,18 @@ Play2.1以前をお使いの方へ
 
 `Build.scala` もしくは `build.sbt` にライブラリ依存性定義を追加します。
 
-  "jp.t2v" %% "play2-auth" % "0.14.0",
-  "jp.t2v" %% "play2-auth-social" % "0.14.0", // ソーシャルログイン
-  "jp.t2v" %% "play2-auth-test" % "0.14.0" % "test",
+  "jp.t2v" %% "play2-auth" % "0.14.1",
+  "jp.t2v" %% "play2-auth-social" % "0.14.1", // ソーシャルログイン
+  "jp.t2v" %% "play2-auth-test" % "0.14.1" % "test",
   play.sbt.Play.autoImport.cache // デフォルトのIdContainerを使う場合のみ必要です
 
 For example: `Build.scala`
 
 ```scala
  val appDependencies = Seq(
- "jp.t2v" %% "play2-auth" % "0.14.0",
- "jp.t2v" %% "play2-auth-social" % "0.14.0",
- "jp.t2v" %% "play2-auth-test" % "0.14.0" % "test",
+ "jp.t2v" %% "play2-auth" % "0.14.1",
+ "jp.t2v" %% "play2-auth-social" % "0.14.1",
+ "jp.t2v" %% "play2-auth-test" % "0.14.1" % "test",
  play.sbt.Play.autoImport.cache // デフォルトのIdContainerを使う場合のみ必要です
  )
 ```

README.md

@@ -36,14 +36,9 @@ Play2x-Auth provides a way of composition.
 Previous Version
 ---------------------------------------
 
-for Play2.3.x, Please see [previous version 0.11.0 README](https://github.com/t2v/play2-auth/blob/release0.13.2/README.md)
-
-for Play2.2.x, Please see [previous version 0.11.0 README](https://github.com/t2v/play2-auth/blob/release0.11.0/README.md)
-
-for Play2.1.x, Please see [previous version 0.10.1 README](https://github.com/t2v/play2-auth/tree/release0.10.1)
-
-for Play2.0.x, Please see [previous version 0.7 README](https://github.com/t2v/play2-auth/tree/release0.7)
+for Play2.3.x, Please see [previous version 0.13.5 README](https://github.com/t2v/play2-auth/blob/release0.13.5/README.md)
 
+for Play2.2.x, Please see [previous version 0.11.1 README](https://github.com/t2v/play2-auth/blob/release0.11.1/README.md)
 
 Attention
 ---------------------------------------
@@ -61,18 +56,18 @@ Add dependency declarations into your `Build.scala` or `build.sbt` file:
 
 * __for Play2.4.x__
 
-  "jp.t2v" %% "play2-auth" % "0.14.0",
-  "jp.t2v" %% "play2-auth-social" % "0.14.0", // for social login
-  "jp.t2v" %% "play2-auth-test" % "0.14.0" % "test",
+  "jp.t2v" %% "play2-auth" % "0.14.1",
+  "jp.t2v" %% "play2-auth-social" % "0.14.1", // for social login
+  "jp.t2v" %% "play2-auth-test" % "0.14.1" % "test",
   play.sbt.Play.autoImport.cache // only when you use default IdContainer
 
 For example your `Build.scala` might look like this:
 
 ```scala
  val appDependencies = Seq(
- "jp.t2v" %% "play2-auth" % "0.14.0",
- "jp.t2v" %% "play2-auth-social" % "0.14.0",
- "jp.t2v" %% "play2-auth-test" % "0.14.0" % "test",
+ "jp.t2v" %% "play2-auth" % "0.14.1",
+ "jp.t2v" %% "play2-auth-social" % "0.14.1",
+ "jp.t2v" %% "play2-auth-test" % "0.14.1" % "test",
  play.sbt.Play.autoImport.cache
  )
 ```

module/src/main/scala/jp/t2v/lab/play2/auth/TokenAccessor.scala

@@ -13,9 +13,24 @@ trait TokenAccessor {
 
  protected def verifyHmac(token: SignedToken): Option[AuthenticityToken] = {
  val (hmac, value) = token.splitAt(40)
- if (Crypto.sign(value) == hmac) Some(value) else None
+ if (safeEquals(Crypto.sign(value), hmac)) Some(value) else None
  }
 
  protected def sign(token: AuthenticityToken): SignedToken = Crypto.sign(token) + token
 
+ // Do not change this unless you understand the security issues behind timing attacks.
+ // This method intentionally runs in constant time if the two strings have the same length.
+ // If it didn't, it would be vulnerable to a timing attack.
+ protected def safeEquals(a: String, b: String) = {
+ if (a.length != b.length) {
+ false
+ } else {
+ var equal = 0
+ for (i <- Array.range(0, a.length)) {
+ equal |= a(i) ^ b(i)
+ }
+ equal == 0
+ }
+ }
+
 }

project/Build.scala

@@ -9,7 +9,7 @@ object ApplicationBuild extends Build {
  val playVersion = play.core.PlayVersion.current
 
  lazy val baseSettings = Seq(
- version := "0.14.0",
+ version := "0.14.1",
  scalaVersion := "2.11.6",
  crossScalaVersions := Seq("2.10.5", "2.11.6"),
  organization := "jp.t2v",