Fixed timing attack vulnerability

viafintech · Aug 8, 2016 · 3e7d29d · 3e7d29d
1 parent e18e601
commit 3e7d29d
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/src/Middleware.php b/src/Middleware.php
@@ -30,4 +30,30 @@ public static function generateSignature($host, $method, $path, $query, $date, $
 
         return hash_hmac('sha256', $signatureString, $key);
     }
+
+    /**
+     * @param string $first
+     * @param string $second
+     * @return boolean
+     *
+     * Workaround for PHP < 5.6 by: asphp at dsgml dot com
+     * Source: https://php.net/manual/en/function.hash-equals.php#115635
+     */
+    public static function stringsEqual($first, $second)
+    {
+        if (function_exists('hash_equals')) {
+            return hash_equals($first, $second);
+        }
+
+        if (strlen($first) != strlen($second)) {
+            return false;
+        }
+
+        $res = $first ^ $second;
+        $ret = 0;
+        for ($i = strlen($res) - 1; $i >= 0; $i--) {
+            $ret |= ord($res[$i]);
+        }
+        return !$ret;
+    }
 }
diff --git a/src/Webhook.php b/src/Webhook.php
@@ -36,6 +36,6 @@ public function verify($header, $body)
             $this->paymentKey
         );
 
-        return $header['HTTP_BZ_SIGNATURE'] == 'BZ1-HMAC-SHA256 ' . $signature;
+        return Middleware::stringsEqual($header['HTTP_BZ_SIGNATURE'], 'BZ1-HMAC-SHA256 ' . $signature);
     }
 }
diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
@@ -21,4 +21,28 @@ public function testGenerateSignature()
 
         $this->assertEquals('35764655afcf2121602a5493b58020d3b6b9d75b4150c7395acf6114ae0ba49c', $signature);
     }
+
+    public function testStringsEqualInvalidLength()
+    {
+        $first = 'thisisarandomstring123';
+        $second = 'thisisanotherrandomstring123';
+
+        $this->assertFalse(Middleware::stringsEqual($first, $second));
+    }
+
+    public function testStringsEqualInvalidContent()
+    {
+        $first = 'thisisarandomstring123';
+        $second = 'thisisarandomstring124';
+
+        $this->assertFalse(Middleware::stringsEqual($first, $second));
+    }
+
+    public function testStringsEqualValid()
+    {
+        $first = 'thismustbeavalidhash';
+        $second = 'thismustbeavalidhash';
+
+        $this->assertTrue(Middleware::stringsEqual($first, $second));
+    }
 }