diff options
| author | nashe <contact@nashe.fr> | 2015-08-04 17:11:23 +0200 |
|---|---|---|
| committer | nashe <contact@nashe.fr> | 2015-08-04 17:11:23 +0200 |
| commit | cb5e73816fa0308b22c7274509b23059ce1d5eda (patch) | |
| tree | df25afeb4c4c0b2438a187976265599b2e1c5bd0 /app | |
| parent | d77b52c4c194edce0060cbb99fd07d31645297e6 (diff) | |
| download | planet-cb5e73816fa0308b22c7274509b23059ce1d5eda.tar planet-cb5e73816fa0308b22c7274509b23059ce1d5eda.tar.gz planet-cb5e73816fa0308b22c7274509b23059ce1d5eda.tar.bz2 planet-cb5e73816fa0308b22c7274509b23059ce1d5eda.tar.xz planet-cb5e73816fa0308b22c7274509b23059ce1d5eda.zip | |
Make authentication timing-safe
Improve the authentication to make it timing-safe against bruteforce
attacks.
See code comments for more details on the implementation.
Diffstat (limited to 'app')
| -rw-r--r-- | app/classes/Planet.class.php | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/app/classes/Planet.class.php b/app/classes/Planet.class.php index 3c76378..f502d7a 100644 --- a/app/classes/Planet.class.php +++ b/app/classes/Planet.class.php @@ -54,6 +54,46 @@ class Planet } /** + * Compare the supplied password with the known one. + * + * This functions uses a type-safe and timing-safe comparison, in order to + * improve the security of the authentication. + * + * Read more about this sort of attacks (used for the < PHP 5.6.0 implementation): + * - https://security.stackexchange.com/questions/83660/simple-string-comparisons-not-secure-against-timing-attacks + * - https://github.com/laravel/framework/blob/a1dc78820d2dbf207dbdf0f7075f17f7021c4ee8/src/Illuminate/Support/Str.php#L289 + * - https://github.com/symfony/security-core/blob/master/Util/StringUtils.php#L39 + * + * @param string $known + * @param string $supplied + * @return bool + */ + public static function authenticateUser($known = '', $supplied = '') + { + // The hash_equals function was introduced in PHP 5.6.0. If it's not + // existing in the current context (PHP version too old), and to ensure + // compatibility with those old interpreters, we'll have to provide + // an PHP implementation of this function. + if (function_exists('hash_equals')) { + return hash_equals($known, $supplied); + } + + // Some implementation references can be found on the function comment. + $knownLen = mb_strlen($known); + if ($knownLen !== mb_strlen($supplied)) { + return false; + } + + // Ensure that all the characters are the same, and continue until the + // end of the string even if an difference was found. + for ($i = 0, $comparison = 0; $i < $knownLen; $i++) { + $comparison |= ord($known[$i]) ^ ord($supplied[$i]); + } + + return ($comparison === 0); + } + + /** * Getters */ public function getItems() |