Skip to content

Commit

Permalink
Implemented constant time hash comparison to avoid timing attacks
Browse files Browse the repository at this point in the history
  • Loading branch information
@mnavarrocarter
mnavarrocarter committed Nov 9, 2020
1 parent 757e83e commit da74714
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Vx80Marshaller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ public function decode(string $token, int $ttl = null): string
// We recompute the HMAC and ensure matched the token one
$hmac = substr($decoded, -32);
$recomputedHmac = $this->key->sign($base);
if ($hmac !== $recomputedHmac) {
if (!hash_equals($hmac, $recomputedHmac)) {
throw FernetException::incorrectMac();
}

Expand Down

0 comments on commit da74714

Please sign in to comment.