I'm not sure why this change was made unless it's to prevent timing attacks? couch_util:verify seems to do something equivalent and it's strange to me that we should be making calls into the couchdb sources from erlang-oauth, which should be independent. If it's for the timing reason, can we put a verify inside erlang-oauth and get it upstream or something for the future?
-Randall On Thu, Oct 13, 2011 at 07:14, <rnew...@apache.org> wrote: > restore couch_util:verify call in oauth. > > > Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo > Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/ed9b6663 > Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/ed9b6663 > Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/ed9b6663 > > Branch: refs/heads/1.2.x > Commit: ed9b6663f4a232e0728c509a0cf582fd27cc0ffa > Parents: 94313f3 > Author: Robert Newson <rnew...@apache.org> > Authored: Thu Oct 13 15:09:02 2011 +0100 > Committer: Robert Newson <rnew...@apache.org> > Committed: Thu Oct 13 15:09:18 2011 +0100 > > ---------------------------------------------------------------------- > src/erlang-oauth/oauth_hmac_sha1.erl | 2 +- > src/erlang-oauth/oauth_plaintext.erl | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > ---------------------------------------------------------------------- > > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_hmac_sha1.erl > ---------------------------------------------------------------------- > diff --git a/src/erlang-oauth/oauth_hmac_sha1.erl > b/src/erlang-oauth/oauth_hmac_sha1.erl > index 69064ed..35549cf 100644 > --- a/src/erlang-oauth/oauth_hmac_sha1.erl > +++ b/src/erlang-oauth/oauth_hmac_sha1.erl > @@ -8,4 +8,4 @@ signature(BaseString, CS, TS) -> > base64:encode_to_string(crypto:sha_mac(Key, BaseString)). > > verify(Signature, BaseString, CS, TS) -> > - Signature =:= signature(BaseString, CS, TS). > + couch_util:verify(Signature, signature(BaseString, CS, TS)). > > > http://git-wip-us.apache.org/repos/asf/couchdb/blob/ed9b6663/src/erlang-oauth/oauth_plaintext.erl > ---------------------------------------------------------------------- > diff --git a/src/erlang-oauth/oauth_plaintext.erl > b/src/erlang-oauth/oauth_plaintext.erl > index d8085e0..9544a0a 100644 > --- a/src/erlang-oauth/oauth_plaintext.erl > +++ b/src/erlang-oauth/oauth_plaintext.erl > @@ -7,4 +7,4 @@ signature(CS, TS) -> > oauth_uri:calate("&", [CS, TS]). > > verify(Signature, CS, TS) -> > - Signature =:= signature(CS, TS). > + couch_util:verify(Signature, signature(CS, TS)). > >
