Prevent timing attack on HMAC #12152

PowerKiKi · PowerKiKi · commit 86f5f013dafa · 2025-12-30T20:51:03.000+09:00
diff --git a/server/Application/Handler/DatatransHandler.php b/server/Application/Handler/DatatransHandler.php
@@ -84,7 +84,7 @@ private function checkSignature(array $body, string $key): void
         $aliasCC = $body['aliasCC'] ?? '';
         $valueToSign = $aliasCC . @$body['merchantId'] . @$body['amount'] . @$body['currency'] . @$body['refno'];
         $expectedSign = hash_hmac('sha256', mb_trim($valueToSign), hex2bin(mb_trim($key)));
-        if ($expectedSign !== $body['sign']) {
+        if (!hash_equals($expectedSign, $body['sign'])) {
             throw new Exception('Invalid HMAC signature');
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ private function checkSignature(array $body, string $key): void`
`84`	`84`	`$aliasCC = $body['aliasCC'] ?? '';`
`85`	`85`	`$valueToSign = $aliasCC . @$body['merchantId'] . @$body['amount'] . @$body['currency'] . @$body['refno'];`
`86`	`86`	`$expectedSign = hash_hmac('sha256', mb_trim($valueToSign), hex2bin(mb_trim($key)));`
`87`		`- if ($expectedSign !== $body['sign']) {`
	`87`	`+ if (!hash_equals($expectedSign, $body['sign'])) {`
`88`	`88`	`throw new Exception('Invalid HMAC signature');`
`89`	`89`	`}`
`90`	`90`	`}`