From 4f987debdf76ee8569a1917d23220f187d42e240 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Oudin?= <oudin@crans.org>
Date: Sat, 13 Oct 2018 10:30:56 +0200
Subject: [PATCH] Use HMAC-SHA256 instead of SHA1

Fixes #29
---
 app/controller/bank.php     | 8 +++++---
 app/controller/campaign.php | 2 +-
 app/controller/perso.php    | 3 ++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/controller/bank.php b/app/controller/bank.php
index d20b0cd..06fa051 100644
--- a/app/controller/bank.php
+++ b/app/controller/bank.php
@@ -81,9 +81,11 @@ class Bank extends Controller
             $sig .= $value . "+";
         }
         $sig .= CERTIFICATE;
-        $cb_log->write("sig: " . $signature . " == " . sha1($sig));
-        if (sha1($sig)!=$signature) {
-            $error = "Error in signature: " . $signature . " != " . sha1($sig);
+        ### Attempt to do it in hmac-sha256
+        $sig_hash = base64_encode(hash_hmac('sha256', $sig, CERTIFICATE, true));
+        $cb_log->write("sig: " . $signature . " == " . $sig_hash);
+        if ($sig_hash!=$signature) {
+            $error = "Error in signature: " . $signature . " != " . $sig_hash;
         }
         // RÃ©sultats des vÃ©rifications globales
         if ($error!="") {
diff --git a/app/controller/campaign.php b/app/controller/campaign.php
index 551bfa8..f8a71a4 100644
--- a/app/controller/campaign.php
+++ b/app/controller/campaign.php
@@ -196,7 +196,7 @@ class Campaign extends Controller
             $signature .= $value."+";
         }
         $signature .= CERTIFICATE;
-        $signature = sha1($signature);
+        $signature = base64_encode(hash_hmac('sha256', $signature, CERTIFICATE, true));
         $params["signature"] = $signature;
 
         $f3->set('target', $target);
diff --git a/app/controller/perso.php b/app/controller/perso.php
index cdf5090..230685c 100644
--- a/app/controller/perso.php
+++ b/app/controller/perso.php
@@ -531,7 +531,8 @@ class Perso extends Controller
             $signature .= $value."+";
         }
         $signature .= CERTIFICATE;
-        $signature = sha1($signature);
+        $signature = base64_encode(hash_hmac('sha256', $signature, CERTIFICATE, true));
+        #$signature = sha1($signature);
         $parameters["wsSignature"] = $signature;
         $client = new \SoapClient("https://paiement.systempay.fr/vads-ws/ident-v2.1?wsdl");
         $result = $client->customerCancel($parameters);
-- 
GitLab