From 098afc3a5d8c0aba33efdbfb7e7a8a4b0bbc53fe Mon Sep 17 00:00:00 2001
From: Tim Nagel <tim@nagel.com.au>
Date: Wed, 27 Aug 2014 17:18:28 +1000
Subject: [PATCH 1/2] WSSE Auth: Timing safe comparison

---
 cookbook/security/custom_authentication_provider.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
index b3e8c2535ae..1aa92fff29f 100644
--- a/cookbook/security/custom_authentication_provider.rst
+++ b/cookbook/security/custom_authentication_provider.rst
@@ -201,6 +201,7 @@ the ``PasswordDigest`` header value matches with the user's password.
     use Symfony\Component\Security\Core\Exception\AuthenticationException;
     use Symfony\Component\Security\Core\Exception\NonceExpiredException;
     use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+    use Symfony\Component\Security\Core\Util\StringUtils;
     use Acme\DemoBundle\Security\Authentication\Token\WsseUserToken;
 
     class WsseProvider implements AuthenticationProviderInterface
@@ -260,7 +261,7 @@ the ``PasswordDigest`` header value matches with the user's password.
             // Validate Secret
             $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
 
-            return $digest === $expected;
+            return StringUtils::equals($expected, $digest);
         }
 
         public function supports(TokenInterface $token)

From 822f91a002d1be948390f10a4423e5bea40c1349 Mon Sep 17 00:00:00 2001
From: Tim Nagel <tim@nagel.com.au>
Date: Sun, 8 Mar 2015 21:47:04 +1100
Subject: [PATCH 2/2] Add note about the constant time comparison

---
 cookbook/security/custom_authentication_provider.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
index 1aa92fff29f..fdbb4fe2a42 100644
--- a/cookbook/security/custom_authentication_provider.rst
+++ b/cookbook/security/custom_authentication_provider.rst
@@ -278,6 +278,14 @@ the ``PasswordDigest`` header value matches with the user's password.
     provider for the given token. In the case of multiple providers, the
     authentication manager will then move to the next provider in the list.
 
+.. note::
+
+    The comparsion of the expected and the provided digests uses a constant
+    time comparison provided by the
+    :method:`Symfony\\Component\\Security\\Core\\Util\\StringUtils::equals`
+    method of the ``StringUtils`` class. It is used to mitigate possible
+    `timing attacks`_.
+
 The Factory
 -----------
 
@@ -605,3 +613,4 @@ in the factory and consumed or passed to the other classes in the container.
 
 .. _`WSSE`: http://www.xml.com/pub/a/2003/12/17/dive.html
 .. _`nonce`: http://en.wikipedia.org/wiki/Cryptographic_nonce
+.. _`timing attacks`: http://en.wikipedia.org/wiki/Timing_attack