Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Comparison for HMAC is time sensitive #3

Open
JoelLarson opened this issue Jan 24, 2017 · 0 comments
Open

Comparison for HMAC is time sensitive #3

JoelLarson opened this issue Jan 24, 2017 · 0 comments

Comments

@JoelLarson
Copy link

JoelLarson commented Jan 24, 2017

The HMAC comparison is susceptible to timing attacks. A better implementation of comparison should be used to prevent this information from being leaked.

https://en.wikipedia.org/wiki/Timing_attack

https://github.com/neoxia/laravel-openssl-encryption/blob/master/src/Neoxia/LaravelOpensslEncryption/Encrypter.php#L141

A simple fix would be:

if (! \Symfony\Component\Security\Core\Util\StringUtils::equals($this->hash($payload['value']), $payload['mac'])) {
        throw new DecryptException("MAC for payload is invalid.");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant