From 5f2b708377aec4bc5f1d731dfbb50557552d0482 Mon Sep 17 00:00:00 2001 From: Romain d'Alverny Date: Tue, 11 Jan 2022 12:26:15 +0100 Subject: Remove unneeded polyfills --- app/classes/Planet.php | 24 ++---------------------- app/helpers.php | 41 ----------------------------------------- tests/HelpersTest.php | 9 +-------- 3 files changed, 3 insertions(+), 71 deletions(-) diff --git a/app/classes/Planet.php b/app/classes/Planet.php index 5c6d7cf..d6007e5 100644 --- a/app/classes/Planet.php +++ b/app/classes/Planet.php @@ -75,29 +75,9 @@ class Planet * @param string $supplied * @return bool */ - public static function authenticateUser($known = '', $supplied = '') + public static function authenticateUser(string $known = '', string $supplied = '') { - // The hash_equals function was introduced in PHP 5.6.0. If it's not - // existing in the current context (PHP version too old), and to ensure - // compatibility with those old interpreters, we'll have to provide - // an PHP implementation of this function. - if (function_exists('hash_equals')) { - return hash_equals($known, $supplied); - } - - // Some implementation references can be found on the function comment. - $knownLen = mb_strlen($known); - if ($knownLen !== mb_strlen($supplied)) { - return false; - } - - // Ensure that all the characters are the same, and continue until the - // end of the string even if an difference was found. - for ($i = 0, $comparison = 0; $i < $knownLen; $i++) { - $comparison |= ord($known[$i]) ^ ord($supplied[$i]); - } - - return ($comparison === 0); + return hash_equals($known, $supplied); } /** diff --git a/app/helpers.php b/app/helpers.php index e943252..5f251e4 100644 --- a/app/helpers.php +++ b/app/helpers.php @@ -9,16 +9,6 @@ */ function register_polyfills() { - if (!function_exists('hash_equals')) { - function hash_equals($known_string, $user_string) { - call_user_func_array('_hash_equals', func_get_args()); - } - } - - if (!function_exists('random_bytes')) { - // If this function does not exist, it will be exposed - // automatically by paragonie/random_compat. - } } register_polyfills(); @@ -97,34 +87,3 @@ function removeCustomFiles() } } -/** - * Compare two strings in a constant-time manner. - * - * It returns `true` if both strings are exactly the same - * (same size and same value). - * - * @param string $known_string - * @param string $user_string - * @return bool - */ -function _hash_equals($known_string = '', $user_string = '') -{ - // In our case, it's not problematic if `$known_string`'s - // size leaks, we will only compare password hashes and - // CSRF tokens—their size is already somehow public. - if (!is_string($known_string) || !is_string($user_string) - || strlen($known_string) !== strlen($user_string)) { - return false; - } - - $ret = 0; - - // Do not stop the comparison when a difference is found, - // always completely compare them. - for ($i = 0; $i < strlen($known_string); $i++) { - $ret |= (ord($known_string[$i]) ^ ord($user_string[$i])); - } - - return !$ret; -} - diff --git a/tests/HelpersTest.php b/tests/HelpersTest.php index 141e604..d0dcdda 100644 --- a/tests/HelpersTest.php +++ b/tests/HelpersTest.php @@ -4,12 +4,5 @@ use PHPUnit\Framework\TestCase; class HelpersTest extends TestCase { - function test_constant_time_compare() - { - $this->assertTrue(_hash_equals('abc', 'abc')); - $this->assertFalse(_hash_equals('abc', 'ab')); - $this->assertFalse(_hash_equals('ab', 'abc')); - $this->assertFalse(_hash_equals('abcd', 'adbc')); - $this->assertFalse(_hash_equals(0, 0)); - } + } -- cgit v1.2.1