Merge pull request #19 from WesleyE/security-constant-time-comp-on-signature

joostfaassen · web-flow · commit edebc435d714 · 2016-08-17T13:10:08.000+02:00
Use timing attack safe string comparision
diff --git a/composer.json b/composer.json
@@ -1,26 +1,33 @@
 {
-    "name": "linkorb/buckaroo",
-    "description": "Buckaroo BPE3 API client for PHP. PSR-0 Compliant.",
-    "homepage": "http://www.github.com/linkorb/buckaroo",
-    "keywords": ["php", "api", "buckaroo", "psp", "payment"],
-    "type": "library",
-    "authors": [
-        {
-            "name": "Joost Faassen",
-            "email": "j.faassen@linkorb.com",
-	    "role": "Development"
-        }
-    ],
-    "require": {
-        "php": ">=5.3.0"
-    },
-    "require-dev": {
-        "phpunit/phpunit": "3.7.*"
-    },
-    "autoload": {
-	"psr-0": {
-	    "LinkORB\\Buckaroo\\": "src/"
-	} 
-    },
-    "license": "MIT"
+  "name": "linkorb/buckaroo",
+  "description": "Buckaroo BPE3 API client for PHP. PSR-0 Compliant.",
+  "homepage": "http://www.github.com/linkorb/buckaroo",
+  "keywords": [
+    "php",
+    "api",
+    "buckaroo",
+    "psp",
+    "payment"
+  ],
+  "type": "library",
+  "authors": [
+    {
+      "name": "Joost Faassen",
+      "email": "j.faassen@linkorb.com",
+      "role": "Development"
+    }
+  ],
+  "require": {
+    "php": ">=5.3.0",
+    "sarciszewski/php-future": "^0.4.2"
+  },
+  "require-dev": {
+    "phpunit/phpunit": "3.7.*"
+  },
+  "autoload": {
+    "psr-0": {
+      "LinkORB\\Buckaroo\\": "src/"
+    }
+  },
+  "license": "MIT"
 }
diff --git a/composer.lock b/composer.lock
diff --git a/src/LinkORB/Buckaroo/Response/PostResponse.php b/src/LinkORB/Buckaroo/Response/PostResponse.php
@@ -4,6 +4,7 @@
 
 use LinkORB\Buckaroo\Response;
 use LinkORB\Buckaroo\SignatureComposer\SignatureComposer;
+use Sarciszewski\PHPFuture\Security;
 
 /**
  * PostResponse can be used to verify and read post and push responses from Buckaroo.
@@ -60,7 +61,13 @@ public function __construct(array $parameters)
      */
     public function isValid(SignatureComposer $composer)
     {
-        return $this->signature === $composer->compose($this->parameters);
+        // Constant Time String Comparison @see http://php.net/hash_equals
+        if (!function_exists('hash_equals')) {
+            // Polyfill for PHP < 5.6
+            return Security::hashEquals($composer->compose($this->parameters), $this->signature);
+        } else {
+            return hash_equals($composer->compose($this->parameters), $this->signature);
+        }
     }
 
     /**
