Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use hash_equals instead of double HMAC approach for signature comparison #29

Open
rbone opened this issue Jan 18, 2017 · 1 comment
Open

Use hash_equals instead of double HMAC approach for signature comparison #29

rbone opened this issue Jan 18, 2017 · 1 comment
Milestone
v4

Comments

@rbone
Copy link

rbone commented Jan 18, 2017

See #28 for what prompted this.

We're currently using a double HMAC approach for signature comparison, as that was the only way for us to securely compare HMAC signatures without making it a breaking change, as the hash_equals function we need isn't available until PHP 5.7, and we support PHP 5.5+

When we roll out our next major version we should increase the minimum PHP version to 5.7 or higher, and swap to using hash_equals.
@rbone rbone changed the title Using hmac_equals instead of double HMAC approach for signature comparison Use hmac_equals instead of double HMAC approach for signature comparison Jan 18, 2017
@rbone rbone changed the title Use hmac_equals instead of double HMAC approach for signature comparison Use hash_equals instead of double HMAC approach for signature comparison Jan 18, 2017
@rbone rbone added this to the v4 milestone Jan 18, 2017
@liamdennehy
Copy link
Contributor

Implemented in #37, waiting for PR approval.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4
Development

No branches or pull requests
2 participants
@rbone @liamdennehy