summaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/classes/Planet.php24
-rw-r--r--app/helpers.php41
2 files changed, 2 insertions, 63 deletions
diff --git a/app/classes/Planet.php b/app/classes/Planet.php
index 5c6d7cf..d6007e5 100644
--- a/app/classes/Planet.php
+++ b/app/classes/Planet.php
@@ -75,29 +75,9 @@ class Planet
* @param string $supplied
* @return bool
*/
- public static function authenticateUser($known = '', $supplied = '')
+ public static function authenticateUser(string $known = '', string $supplied = '')
{
- // The hash_equals function was introduced in PHP 5.6.0. If it's not
- // existing in the current context (PHP version too old), and to ensure
- // compatibility with those old interpreters, we'll have to provide
- // an PHP implementation of this function.
- if (function_exists('hash_equals')) {
- return hash_equals($known, $supplied);
- }
-
- // Some implementation references can be found on the function comment.
- $knownLen = mb_strlen($known);
- if ($knownLen !== mb_strlen($supplied)) {
- return false;
- }
-
- // Ensure that all the characters are the same, and continue until the
- // end of the string even if an difference was found.
- for ($i = 0, $comparison = 0; $i < $knownLen; $i++) {
- $comparison |= ord($known[$i]) ^ ord($supplied[$i]);
- }
-
- return ($comparison === 0);
+ return hash_equals($known, $supplied);
}
/**
diff --git a/app/helpers.php b/app/helpers.php
index e943252..5f251e4 100644
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -9,16 +9,6 @@
*/
function register_polyfills()
{
- if (!function_exists('hash_equals')) {
- function hash_equals($known_string, $user_string) {
- call_user_func_array('_hash_equals', func_get_args());
- }
- }
-
- if (!function_exists('random_bytes')) {
- // If this function does not exist, it will be exposed
- // automatically by paragonie/random_compat.
- }
}
register_polyfills();
@@ -97,34 +87,3 @@ function removeCustomFiles()
}
}
-/**
- * Compare two strings in a constant-time manner.
- *
- * It returns `true` if both strings are exactly the same
- * (same size and same value).
- *
- * @param string $known_string
- * @param string $user_string
- * @return bool
- */
-function _hash_equals($known_string = '', $user_string = '')
-{
- // In our case, it's not problematic if `$known_string`'s
- // size leaks, we will only compare password hashes and
- // CSRF tokens—their size is already somehow public.
- if (!is_string($known_string) || !is_string($user_string)
- || strlen($known_string) !== strlen($user_string)) {
- return false;
- }
-
- $ret = 0;
-
- // Do not stop the comparison when a difference is found,
- // always completely compare them.
- for ($i = 0; $i < strlen($known_string); $i++) {
- $ret |= (ord($known_string[$i]) ^ ord($user_string[$i]));
- }
-
- return !$ret;
-}
-