From b4f19faca8271277cdd37df0bb40f8d18c1e1a36 Mon Sep 17 00:00:00 2001
From: Micah Nordland <micah@rehack.me>
Date: Sun, 7 Mar 2021 09:50:43 -0500
Subject: [PATCH] Use timing attack safe signature verification

---
 src/p3k/WebSub/Client.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/p3k/WebSub/Client.php b/src/p3k/WebSub/Client.php
index c42868f..cabac08 100644
--- a/src/p3k/WebSub/Client.php
+++ b/src/p3k/WebSub/Client.php
@@ -218,7 +218,7 @@ class Client {
       $alg = $match[1];
       $sig = $match[2];
       $expected_signature = hash_hmac($alg, $body, $secret);
-      return $sig == $expected_signature;
+      return hash_equals($sig, $expected_signature);
     } else {
       return false;
     }