diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/classes/Planet.php | 24 | ||||
-rw-r--r-- | app/helpers.php | 41 |
2 files changed, 2 insertions, 63 deletions
diff --git a/app/classes/Planet.php b/app/classes/Planet.php index 5c6d7cf..d6007e5 100644 --- a/app/classes/Planet.php +++ b/app/classes/Planet.php @@ -75,29 +75,9 @@ class Planet * @param string $supplied * @return bool */ - public static function authenticateUser($known = '', $supplied = '') + public static function authenticateUser(string $known = '', string $supplied = '') { - // The hash_equals function was introduced in PHP 5.6.0. If it's not - // existing in the current context (PHP version too old), and to ensure - // compatibility with those old interpreters, we'll have to provide - // an PHP implementation of this function. - if (function_exists('hash_equals')) { - return hash_equals($known, $supplied); - } - - // Some implementation references can be found on the function comment. - $knownLen = mb_strlen($known); - if ($knownLen !== mb_strlen($supplied)) { - return false; - } - - // Ensure that all the characters are the same, and continue until the - // end of the string even if an difference was found. - for ($i = 0, $comparison = 0; $i < $knownLen; $i++) { - $comparison |= ord($known[$i]) ^ ord($supplied[$i]); - } - - return ($comparison === 0); + return hash_equals($known, $supplied); } /** diff --git a/app/helpers.php b/app/helpers.php index e943252..5f251e4 100644 --- a/app/helpers.php +++ b/app/helpers.php @@ -9,16 +9,6 @@ */ function register_polyfills() { - if (!function_exists('hash_equals')) { - function hash_equals($known_string, $user_string) { - call_user_func_array('_hash_equals', func_get_args()); - } - } - - if (!function_exists('random_bytes')) { - // If this function does not exist, it will be exposed - // automatically by paragonie/random_compat. - } } register_polyfills(); @@ -97,34 +87,3 @@ function removeCustomFiles() } } -/** - * Compare two strings in a constant-time manner. - * - * It returns `true` if both strings are exactly the same - * (same size and same value). - * - * @param string $known_string - * @param string $user_string - * @return bool - */ -function _hash_equals($known_string = '', $user_string = '') -{ - // In our case, it's not problematic if `$known_string`'s - // size leaks, we will only compare password hashes and - // CSRF tokens—their size is already somehow public. - if (!is_string($known_string) || !is_string($user_string) - || strlen($known_string) !== strlen($user_string)) { - return false; - } - - $ret = 0; - - // Do not stop the comparison when a difference is found, - // always completely compare them. - for ($i = 0; $i < strlen($known_string); $i++) { - $ret |= (ord($known_string[$i]) ^ ord($user_string[$i])); - } - - return !$ret; -} - |