search

99designs / http-signatures-php

Sign and verify PSR-7 HTTP messages in PHP.
MIT License
44 stars 33 forks source link

Use hash_equals instead of double HMAC approach for signature comparison #29

Open rbone opened 7 years ago

rbone commented 7 years ago

See https://github.com/99designs/http-signatures-php/pull/28 for what prompted this.

We're currently using a double HMAC approach for signature comparison, as that was the only way for us to securely compare HMAC signatures without making it a breaking change, as the hash_equals function we need isn't available until PHP 5.7, and we support PHP 5.5+

When we roll out our next major version we should increase the minimum PHP version to 5.7 or higher, and swap to using hash_equals.

liamdennehy commented 6 years ago

Implemented in #37, waiting for PR approval.