Merge pull request #28 from afk11/blinded-hmac-comparison

Avoid timing side channels in signature validation
99designs · Jan 18, 2017 · fd2d274 · fd2d274
2 parents 1d64ff6 + a33b1db
commit fd2d274
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/composer.json b/composer.json
@@ -21,6 +21,7 @@
     },
     "require": {
         "php": ">=5.5",
+        "paragonie/random_compat": "^1.0|^2.0",
         "symfony/http-foundation": "~2.8|~3.0",
         "psr/http-message": "^1.0",
         "symfony/psr-http-message-bridge": "^1.0",

diff --git a/src/Verification.php b/src/Verification.php
@@ -39,7 +39,8 @@ public function isValid()
     private function signatureMatches()
     {
         try {
-            return $this->expectedSignatureBase64() === $this->providedSignatureBase64();
+            $random = random_bytes(32);
+            return hash_hmac('sha256', $this->expectedSignatureBase64(), $random, true) === hash_hmac('sha256', $this->providedSignatureBase64(), $random, true);
         } catch (SignatureParseException $e) {
             return false;
         } catch (KeyStoreException $e) {