interface/modules/zend_modules/library/Zend/Crypt/Utils.php

   1 <?php
   2 /**
   3  * Zend Framework (http://framework.zend.com/)
   4  *
   5  * @link      http://github.com/zendframework/zf2 for the canonical source repository
   6  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
   7  * @license   http://framework.zend.com/license/new-bsd New BSD License
   8  */
   9
  10 namespace Zend\Crypt;
  11
  12 /**
  13  * Tools for cryptography
  14  */
  15 class Utils
  16 {
  17     /**
  18      * Compare two strings to avoid timing attacks
  19      *
  20      * C function memcmp() internally used by PHP, exits as soon as a difference
  21      * is found in the two buffers. That makes possible of leaking
  22      * timing information useful to an attacker attempting to iteratively guess
  23      * the unknown string (e.g. password).
  24      *
  25      * @param  string $expected
  26      * @param  string $actual
  27      * @return bool
  28      */
  29     public static function compareStrings($expected, $actual)
  30     {
  31         $expected     = (string) $expected;
  32         $actual       = (string) $actual;
  33         $lenExpected  = strlen($expected);
  34         $lenActual    = strlen($actual);
  35         $len          = min($lenExpected, $lenActual);
  36
  37         $result = 0;
  38         for ($i = 0; $i < $len; $i++) {
  39             $result |= ord($expected[$i]) ^ ord($actual[$i]);
  40         }
  41         $result |= $lenExpected ^ $lenActual;
  42
  43         return ($result === 0);
  44     }
  45 }