RobThree\Auth\TwoFactorAuth::codeEquals PHP Method

TwoFactorAuth Class Documentation Show file Open project: RobThree/TwoFactorAuth

codeEquals() private method

Timing-attack safe comparison of 2 codes (see http://blog.ircmaxell.com/2014/11/its-all-about-time.html)

private codeEquals ( $safe, $user )

    private function codeEquals($safe, $user)
    {
        if (function_exists('hash_equals')) {
            return hash_equals($safe, $user);
        } else {
            // In general, it's not possible to prevent length leaks. So it's OK to leak the length. The important part is that
            // we don't leak information about the difference of the two strings.
            if (strlen($safe) === strlen($user)) {
                $result = 0;
                for ($i = 0; $i < strlen($safe); $i++) {
                    $result |= ord($safe[$i]) ^ ord($user[$i]);
                }
                return $result === 0;
            }
        }
        return false;
    }

TwoFactorAuth

__construct

base32Decode

codeEquals

createSecret

getCode

getQRCodeImageAsDataUri

getQRText

getTime

getTimeSlice

verifyCode