You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by rn...@apache.org on 2011/10/13 16:14:56 UTC

[2/4] git commit: restore couch_util:verify call in oauth.

restore couch_util:verify call in oauth.


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/ed9b6663
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/ed9b6663
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/ed9b6663

Branch: refs/heads/1.2.x
Commit: ed9b6663f4a232e0728c509a0cf582fd27cc0ffa
Parents: 94313f3
Author: Robert Newson <rn...@apache.org>
Authored: Thu Oct 13 15:09:02 2011 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Thu Oct 13 15:09:18 2011 +0100

----------------------------------------------------------------------
 src/erlang-oauth/oauth_hmac_sha1.erl |    2 +-
 src/erlang-oauth/oauth_plaintext.erl |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_hmac_sha1.erl
----------------------------------------------------------------------
diff --git a/src/erlang-oauth/oauth_hmac_sha1.erl b/src/erlang-oauth/oauth_hmac_sha1.erl
index 69064ed..35549cf 100644
--- a/src/erlang-oauth/oauth_hmac_sha1.erl
+++ b/src/erlang-oauth/oauth_hmac_sha1.erl
@@ -8,4 +8,4 @@ signature(BaseString, CS, TS) ->
   base64:encode_to_string(crypto:sha_mac(Key, BaseString)).
 
 verify(Signature, BaseString, CS, TS) ->
-  Signature =:= signature(BaseString, CS, TS).
+  couch_util:verify(Signature, signature(BaseString, CS, TS)).

http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_plaintext.erl
----------------------------------------------------------------------
diff --git a/src/erlang-oauth/oauth_plaintext.erl b/src/erlang-oauth/oauth_plaintext.erl
index d8085e0..9544a0a 100644
--- a/src/erlang-oauth/oauth_plaintext.erl
+++ b/src/erlang-oauth/oauth_plaintext.erl
@@ -7,4 +7,4 @@ signature(CS, TS) ->
   oauth_uri:calate("&", [CS, TS]).
 
 verify(Signature, CS, TS) ->
-  Signature =:= signature(CS, TS).
+  couch_util:verify(Signature, signature(CS, TS)).

Re: [2/4] git commit: restore couch_util:verify call in oauth.

Posted by Randall Leeds <ra...@gmail.com>.

I'm not sure why this change was made unless it's to prevent timing attacks?
couch_util:verify seems to do something equivalent and it's strange to me
that we should be making calls into the couchdb sources from erlang-oauth,
which should be independent. If it's for the timing reason, can we put a
verify inside erlang-oauth and get it upstream or something for the future?

-Randall

On Thu, Oct 13, 2011 at 07:14, <rn...@apache.org> wrote:

> restore couch_util:verify call in oauth.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
> Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/ed9b6663
> Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/ed9b6663
> Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/ed9b6663
>
> Branch: refs/heads/1.2.x
> Commit: ed9b6663f4a232e0728c509a0cf582fd27cc0ffa
> Parents: 94313f3
> Author: Robert Newson <rn...@apache.org>
> Authored: Thu Oct 13 15:09:02 2011 +0100
> Committer: Robert Newson <rn...@apache.org>
> Committed: Thu Oct 13 15:09:18 2011 +0100
>
> ----------------------------------------------------------------------
>  src/erlang-oauth/oauth_hmac_sha1.erl |    2 +-
>  src/erlang-oauth/oauth_plaintext.erl |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> ----------------------------------------------------------------------
>
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_hmac_sha1.erl
> ----------------------------------------------------------------------
> diff --git a/src/erlang-oauth/oauth_hmac_sha1.erl
> b/src/erlang-oauth/oauth_hmac_sha1.erl
> index 69064ed..35549cf 100644
> --- a/src/erlang-oauth/oauth_hmac_sha1.erl
> +++ b/src/erlang-oauth/oauth_hmac_sha1.erl
> @@ -8,4 +8,4 @@ signature(BaseString, CS, TS) ->
>   base64:encode_to_string(crypto:sha_mac(Key, BaseString)).
>
>  verify(Signature, BaseString, CS, TS) ->
> -  Signature =:= signature(BaseString, CS, TS).
> +  couch_util:verify(Signature, signature(BaseString, CS, TS)).
>
>
> http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_plaintext.erl
> ----------------------------------------------------------------------
> diff --git a/src/erlang-oauth/oauth_plaintext.erl
> b/src/erlang-oauth/oauth_plaintext.erl
> index d8085e0..9544a0a 100644
> --- a/src/erlang-oauth/oauth_plaintext.erl
> +++ b/src/erlang-oauth/oauth_plaintext.erl
> @@ -7,4 +7,4 @@ signature(CS, TS) ->
>   oauth_uri:calate("&", [CS, TS]).
>
>  verify(Signature, CS, TS) ->
> -  Signature =:= signature(CS, TS).
> +  couch_util:verify(Signature, signature(CS, TS)).
>
>