You are here

Home » API reference » Two-factor Authentication (TFA) 7.2 » tfa.inc » TfaBasePlugin

private function TfaBasePlugin::timingSafeEquals in Two-factor Authentication (TFA) 7.2

A timing safe equals comparison.

More info here: http://blog.ircmaxell.com/2014/11/its-all-about-time.html.

Parameters

string $safeString: The internal (safe) value to be checked.

string $userString: The user submitted (unsafe) value.

Return value

bool True if the two strings are identical.

1 call to TfaBasePlugin::timingSafeEquals()
TfaBasePlugin::validate in ./tfa.inc
Validate code.

File

./tfa.inc, line 564
TFA module classes.

Class

TfaBasePlugin
Base plugin class.

Code

private function timingSafeEquals($safeString, $userString) {
  if (function_exists('hash_equals')) {
    return hash_equals($safeString, $userString);
  }
  $safeLen = strlen($safeString);
  $userLen = strlen($userString);
  if ($userLen != $safeLen) {
    return FALSE;
  }
  $result = 0;
  for ($i = 0; $i < $userLen; ++$i) {
    $result |= ord($safeString[$i]) ^ ord($userString[$i]);
  }

  // They are only identical strings if $result is exactly 0.
  return $result === 0;
}