http-signatures-php icon indicating copy to clipboard operation
http-signatures-php copied to clipboard
verified publisher icon 99designs

Use hash_equals instead of double HMAC approach for signature comparison

Open rbone opened this issue 8 years ago • 1 comments

See https://github.com/99designs/http-signatures-php/pull/28 for what prompted this.

We're currently using a double HMAC approach for signature comparison, as that was the only way for us to securely compare HMAC signatures without making it a breaking change, as the hash_equals function we need isn't available until PHP 5.7, and we support PHP 5.5+

When we roll out our next major version we should increase the minimum PHP version to 5.7 or higher, and swap to using hash_equals.

rbone avatar Jan 18 '17 22:01 rbone

Implemented in #37, waiting for PR approval.

liamdennehy avatar Nov 11 '18 18:11 liamdennehy