From 276a54f13460010f0a5866466820c101ee08cbe6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Fri, 19 Jan 2018 00:19:25 +0100 Subject: [PATCH] Continued: - rewrite "miner" chash to scrypt - imported needed exception class MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- application/tests/exceptions.php | 1 + contrib/chash/chash.php | 395 ++++--------------------------- contrib/chash/lib/functions.php | 192 +++++++++++++++ contrib/chash/lib/scrypt.php | 214 +++++++++++++++++ 4 files changed, 455 insertions(+), 347 deletions(-) create mode 100644 contrib/chash/lib/functions.php create mode 100644 contrib/chash/lib/scrypt.php diff --git a/application/tests/exceptions.php b/application/tests/exceptions.php index 3538bd31..834bc6e2 100644 --- a/application/tests/exceptions.php +++ b/application/tests/exceptions.php @@ -1,5 +1,6 @@ array()); @@ -37,292 +44,13 @@ $GLOBALS['found_hashes'] = array(0 => array()); * @license See LICENSE (public-domain) */ -/** - * Calculates a simple but stronger hash from given string. No salts are being - * added here. - * - * @param $str The string to be hashed - * @return $hash The hash from string $str - */ -function hashString ($str) { - // Calculate strong hash from given string - $hash = mhash($GLOBALS['hash_algo'], $str); - - // Return it hexadecimal-encoded - return bin2hex($hash); -} - -/** - * Multiple-hashes given string. This is done by hashing the given string and - * then hashing the generated hash again. - * - * @param $str The string to be hashed 4 times - * @return $hash The generated hash - */ -function multipleHashString ($str) { - // Generate hash from given hash - $hash = hashString($str); - - // Now over-hash it - for ($idx = 0; $idx < ($GLOBALS['hash_cycles'] - 1); $idx++) { - // Over-hash the given hash - $hash = hashString($hash); - } // END - for - - // Return it - return $hash; -} - -/** - * Calculates a "modula-hash" based given two hashes. - * - * @param $hash1 Hash 1 - * @param $hash2 Hash 2 - */ -function modulaHash ($hash1, $hash2) { - // Both must have same length - assert(strlen($hash1) === strlen($hash2)); - - // Init propability array with 256 zeros - $propability = array_fill(0, 256, 0); - - // Init new hash - $modulaHash = ''; - - // "Walk" trough first hash and get every 2 byte of both hashes - for ($idx = 0; $idx < strlen($hash1); $idx += 2) { - // Init modula value - $mod = 0; - - // Get both hash parts and convert to ASCII number - $part1 = hexdec(substr($hash1, $idx, 2)); - $part2 = hexdec(substr($hash2, $idx, 2)); - - // Debug message - //* NOISY-DEBUG: */ print 'part1=' . $part1 . ',part2=' . $part2 . PHP_EOL; - - /* - * If part1 is larget part2, part1 is divident and vise-versa. But don't do it - * if one is zero - */ - if (($part1 > $part2) && ($part2 > 0)) { - // 'part1' is larger than 'part2' - $mod = $part1 % $part2; - } elseif (($part2 > $part1) && ($part1 > 0)) { - // 'part2' is larger than 'part1' - $mod = $part2 % $part1; - } - - // $mod is now mostly a small number so try to "improve" it - //* NOISY-DEBUG: */ print 'mod[' . gettype($mod) . ']=' . $mod . ' - BEFORE!' . PHP_EOL; - $mod = (int) round(sqrt($mod * ($part1 + $part2 + $mod ^ 7) / 3)); - //* NOISY-DEBUG: */ print 'mod[' . gettype($mod) . ']=' . $mod . ' - AFTER!' . PHP_EOL; - - // Make sure it is valid - assert($mod >= 0); - assert($mod <= 255); - - // "Invert" the result against 255 as zeros are not good for later calculations - $mod = 255 - $mod; - - // Add it to propability array for debugging - $propability[$mod]++; - - // Encode to hex, pre-pad it with zeros and add to new hash - $modulaHash .= padHex($mod); - } // END - for - - // Debug propability array - $cnt = 0; - foreach ($propability as $value) { - // Is the value larger than one, means the number has been found at least once? - if ($value > 0) { - // Then count it - $cnt++; - } // END - if - } // END - foreach - - // Debug message - //* NOISY-DEBUG: */ print('cnt=' . $cnt . '/' . strlen($hash1) / 2 . PHP_EOL); - - // Modula hash must have same length as input hash - assert(strlen($modulaHash) === strlen($hash1)); - - // Return modula hash - return $modulaHash; -} - -/** - * Calculates a "sqrt-hash" based given two hashes and single-hash it - * - * @param $hash1 Hash 1 - * @param $hash2 Hash 2 - */ -function sqrtHash ($hash1, $hash2) { - // Both must have same length - assert(strlen($hash1) === strlen($hash2)); - - // Init new hash - $sqrtHash = ''; - - // "Walk" trough first hash and get every 2 byte of both hashes - for ($idx = 0; $idx < strlen($hash1); $idx += 2) { - // Init modula value - $mod = 0; - - // Get both hash parts and convert to ASCII number - $part1 = hexdec(substr($hash1, $idx, 2)); - $part2 = hexdec(substr($hash2, $idx, 2)); - - // Calculate square root of both parts being multiplied and round up, then "invert" it against 255 - $sqrt = intval(255 - ceil(sqrt($part1 * $part2))); - - // Encode to hex, pre-pad it with zeros and add to new hash - $sqrtHash .= padHex($sqrt); - } // END - for - - // "sqrt-hash" must have same length as input hash - assert(strlen($sqrtHash) === strlen($hash1)); - - // Hash reversed "sqrt-hash" again and return it - return hashString(strrev($sqrtHash)); -} - -/** - * Converts a number between 0 and 255 into a zero-padded hexadecimal string - * - * @param $num Number between 0 and 255 - * @return $hex Hexadecimal string, padded with zeros - */ -function padHex ($num) { - // Must be a integer number and between 0 and 255 - assert(is_int($num)); - assert($num >= 0); - assert($num <= 255); - - // Convert it - $hex = str_pad(dechex($num), 2, '0', STR_PAD_LEFT); - - // ... and return it - return $hex; -} - -/** - * Calculates sum from given hash - * - * @param $hash Hash to calculate sum from - * @return $sum Sum from given hash - */ -function calculateSumFromHash ($hash) { - // Everything starts with zero ... - $sum = 0; - - // Loop through hash - for ($idx = 0; $idx < (strlen($hash) / 2); $idx++) { - // And add it - $sum = $sum + hexdec(substr($hash, $idx, 2)); - } // END - for - - // And return it - return $sum; -} - -/** - * Calculates new nonce - * - * @return void - */ -function calculateNonce () { - // Linear incrementation - $GLOBALS['nonce'] += $GLOBALS['none_increment']; -} - -/** - * Writes/flushes check-point file - * - * @param $hash Modula hash (or hash to save) - * @return void - */ -function flushCheckPointFile ($hash) { - // Display message - print ('FLUSHING: Writing ' . count($GLOBALS['found_hashes']) . ' blocks ...' . PHP_EOL); - - // Start timer - $timer = microtime(true); - - // Flush data - file_put_contents( - CHECK_POINT, - $GLOBALS['total_blocks'] . ':' . - $GLOBALS['total_reward'] . ':' . - $GLOBALS['total_hashes'] . ':' . - $GLOBALS['total_found'] . ':' . - $GLOBALS['total_restarts'] . ':' . - $GLOBALS['hash_cycles'] . ':' . - base64_encode((float) $GLOBALS['nonce']) . ':' . - $hash . ':' . - $GLOBALS['root_hash'] . ':' . - base64_encode(gzcompress(json_encode($GLOBALS['found_hashes']))) - ); - - // Set time - $GLOBALS['time_flush'] = microtime(true); - print ('FLUSHING: Took ' . ($GLOBALS['time_flush'] - $timer) . ' seconds.' . PHP_EOL); -} - -/** - * Adds a found hash and flushes the checkpoint file - * - * @param $hash Hash to save - */ -function addFoundHash ($hash) { - // Increment counter - $GLOBALS['total_found']++; - - // Add hash to array - array_push($GLOBALS['found_hashes'][$GLOBALS['total_blocks']], array( - 'modula_hash' => $GLOBALS['modula_hash'], - 'genesis_hash' => $GLOBALS['genesis_hash'], - 'root_hash' => $GLOBALS['root_hash'], - 'nonce' => (float) $GLOBALS['nonce'], - 'iter' => $GLOBALS['iteration'], - 'hashes_block' => $GLOBALS['hashes_block'], - 'hash_cycles' => $GLOBALS['hash_cycles'], - 'nonce_hash' => $hash - )); - - // Found hash: - print ('FOUND: hash=' . $hash . ',nonce=' . $GLOBALS['nonce'] . ',total_found=' . $GLOBALS['total_found'] . PHP_EOL); - - // Set time as a new hash was found - $GLOBALS['found_time'] = microtime(true); - - // Flush check-point file after new hash is found - flushCheckPointFile($hash); - - // Use nonceHash as next modula hash - setModulaHash($hash); -} - -/** - * Initializes nonce - * - * @return void - */ -function initNonce () { - $GLOBALS['nonce'] = 1 / (mt_rand() ^ pi()); - print (__FUNCTION__ . ': nonce=' . $GLOBALS['nonce'] . PHP_EOL); -} - -/** - * Sets modula hash and calculates sum of it - * - * @param $hash Hash to set as "modula hash" - * @return void - */ -function setModulaHash ($hash) { - $GLOBALS['modula_hash'] = $hash; - $GLOBALS['sum_modula'] = calculateSumFromHash($GLOBALS['modula_hash']); +// Is the check point there? +if (is_readable(CHECK_POINT)) { + // Load it + loadCheckpointFile(); +} else { + // Create nonce (very small) + initNonce(); } /* @@ -350,35 +78,32 @@ $gensisHashes = array( multipleHashString('Your code is shit. Your argument is shit.'), ); -// Calculate "modula hash" from 1st/4th and 2nd/3rd -$modulaHashes = array( - // "Block" 0 - modulaHash($gensisHashes[0], $gensisHashes[3]), - modulaHash($gensisHashes[1], $gensisHashes[2]), - - // "Block" 1 - modulaHash($gensisHashes[4], $gensisHashes[7]), - modulaHash($gensisHashes[5], $gensisHashes[6]), +// Calculate first "block" +$genesisBlock = array( + hashString($gensisHashes[0] . $gensisHashes[3]), + hashString($gensisHashes[1] . $gensisHashes[2]), + hashString($gensisHashes[4] . $gensisHashes[7]), + hashString($gensisHashes[5] . $gensisHashes[6]), ); -// Calculate "sqrt hash" -$sqrtHashes = array( - sqrtHash($modulaHashes[0], $modulaHashes[1]), - sqrtHash($modulaHashes[2], $modulaHashes[3]) +// Calulcate final "genesis" hash +$genesisHash = hashString( + $genesisBlock[0] . + $genesisBlock[2] . + $genesisBlock[1] . + $genesisBlock[3] ); -// Calulcate modula hash -setModulaHash(multipleHashString(modulaHash($sqrtHashes[0], $sqrtHashes[1]))); +// Get all elements to get the last part out +$elements = explode('$', $genesisHash); // This is also the "genesis" hash and first root hash -$GLOBALS['genesis_hash'] = $GLOBALS['modula_hash']; -$GLOBALS['root_hash'] = $GLOBALS['modula_hash']; +$GLOBALS['current_hash'] = $genesisHash; +$GLOBALS['root_hash'] = $genesisHash; +$GLOBALS['sum_genesis'] = sumHash($elements[4]); // Output results print ('hashes=' . print_r($gensisHashes, true)); -print ('modulaHashes=' . print_r($modulaHashes, true)); -print ('sqrtHashes=' . print_r($sqrtHashes, true)); -print ('modulaHash=' . $GLOBALS['modula_hash'] . PHP_EOL); // Total reward + hashes $GLOBALS['total_reward'] = 0; @@ -387,39 +112,11 @@ $GLOBALS['total_found'] = 0; $GLOBALS['total_blocks'] = 0; $GLOBALS['found_time'] = microtime(true); -// Is the check point there? -if (is_readable(CHECK_POINT)) { - // Then load it - $checkPoint = file_get_contents(CHECK_POINT); - - // Explode it - $data = explode(':', $checkPoint); - - // Assert on count - assert(count($data) == 10); - - // 1st element is nonce, 2nd hash, 3rd found hashes - $GLOBALS['total_blocks'] = $data[0]; - $GLOBALS['total_reward'] = $data[1]; - $GLOBALS['total_hashes'] = $data[2]; - $GLOBALS['total_found'] = $data[3]; - $GLOBALS['total_restarts'] = $data[4]; - $GLOBALS['hash_cycles'] = intval($data[5]); - $GLOBALS['nonce'] = (float) base64_decode($data[6]); - $GLOBALS['root_hash'] = $data[8]; - $GLOBALS['found_hashes'] = json_decode(gzuncompress(base64_decode($data[9]))); - - // Set modula hash - setModulaHash($data[7]); -} else { - // Create nonce (small) - initNonce(); -} - // Output again -print ('modulaHash=' . $GLOBALS['modula_hash'] . PHP_EOL); print ('nonce=' . $GLOBALS['nonce'] . PHP_EOL); print ('found=' . count($GLOBALS['found_hashes'][$GLOBALS['total_blocks']]) . PHP_EOL); +print ('salt=' . $GLOBALS['salt'] . PHP_EOL); +print ('difficulty=' . $GLOBALS['difficulty'] . PHP_EOL); // Start "mining" while (true) { @@ -437,7 +134,7 @@ while (true) { while (count($GLOBALS['found_hashes'][$GLOBALS['total_blocks']]) <= $GLOBALS['block_size']) { // Create hash from modulaHash ("genesis hash") and nonce - $nonceHash = multipleHashString($GLOBALS['nonce'] . $GLOBALS['modula_hash']); + $nonceHash = multipleHashString($GLOBALS['nonce'] . $GLOBALS['current_hash']); // Calculate sums $sumNonce = calculateSumFromHash($nonceHash); @@ -448,12 +145,12 @@ while (true) { // Now start the "mining" ... $timeHash = microtime(true); - while ($sumNonce < $GLOBALS['sum_modula']) { + while ($sumNonce < $GLOBALS['sum_genesis']) { // Calculate new nonce calculateNonce(); // And hash again - $nonceHash = multipleHashString($GLOBALS['nonce'] . $GLOBALS['modula_hash']); + $nonceHash = multipleHashString($GLOBALS['nonce'] . $GLOBALS['current_hash']); // Calculate sums $sumNonce = calculateSumFromHash($nonceHash); @@ -467,7 +164,7 @@ while (true) { // Only every second if ($testTime >= 1) { // Display hash rate - print ('hashrate=' . round($hashrate) . ' hashes/sec,iterSecond=' . $GLOBALS['iteration_second'] . ' iterations/sec' . PHP_EOL); + print ('hashrate=' . round($hashrate) . ' hashes/sec,iterSecond=' . $GLOBALS['iteration_second'] . ' iterations/sec,difficulty=' . $GLOBALS['difficulty'] . PHP_EOL); // Reset timer $timeDisplay = microtime(true); @@ -480,7 +177,7 @@ while (true) { // Only once per 10 seconds if ($testTime >= $GLOBALS['flush_file_time']) { // Flush check-point file - flushCheckPointFile($GLOBALS['modula_hash']); + flushCheckPointFile($GLOBALS['current_hash']); } // END - if // Time spend from last found block @@ -488,8 +185,9 @@ while (true) { // Is the last found time to far away? if ($testTime >= $GLOBALS['restart_search_time']) { - // Count up restart + // Count up restart and reduce difficulty, but never below 2 $GLOBALS['total_restarts']++; + $GLOBALS['difficulty'] = max(2, ($GLOBALS['difficulty'] / 2)); // Output message print('total_restarts=' . $GLOBALS['total_restarts'] . ' - Restarting ...'); @@ -562,7 +260,7 @@ while (true) { //print ('nonce=' . $GLOBALS['nonce'] . ',iteration=' . $GLOBALS['iteration'] . PHP_EOL); //print ('nonceHash=' . $nonceHash . PHP_EOL); //print ('sumNonce=' . $sumNonce . PHP_EOL); - //print ('sumModula=' . $GLOBALS['sum_modula'] . PHP_EOL); + //print ('sumGenesis=' . $GLOBALS['sum_genesis'] . PHP_EOL); } // END - while // If the iteration is zero, then no hash is found @@ -592,6 +290,9 @@ while (true) { $reward = abs($timeBlock - $timeBadHashes) / $hashrate * $GLOBALS['hashes_block'] / $GLOBALS['block_size'] * 1000; print ('timeBlock=' . $timeBlock . ',timeBadHashes=' . $timeBadHashes . ',hashesPerBlock=' . $GLOBALS['hashes_block'] .',reward=' . $reward . PHP_EOL); + // Double difficulty + $GLOBALS['difficulty'] = $GLOBALS['difficulty'] * 2; + // Block completed $GLOBALS['total_hashes'] += $GLOBALS['hashes_block']; $GLOBALS['total_blocks']++; diff --git a/contrib/chash/lib/functions.php b/contrib/chash/lib/functions.php new file mode 100644 index 00000000..b6bbc079 --- /dev/null +++ b/contrib/chash/lib/functions.php @@ -0,0 +1,192 @@ + $GLOBALS['current_hash'], + 'root_hash' => $GLOBALS['root_hash'], + 'nonce' => (float) $GLOBALS['nonce'], + 'iter' => $GLOBALS['iteration'], + 'hashes_block' => $GLOBALS['hashes_block'], + 'hash_cycles' => $GLOBALS['hash_cycles'], + 'difficulty' => $GLOBALS['difficulty'], + 'nonce_hash' => $hash, + )); + + // Found hash: + print ('FOUND: hash=' . $hash . ',nonce=' . $GLOBALS['nonce'] . ',total_found=' . $GLOBALS['total_found'] . PHP_EOL); + + // Set time as a new hash was found + $GLOBALS['found_time'] = microtime(true); + + // Flush check-point file after new hash is found + flushCheckPointFile($hash); +} + +/** + * Initializes nonce + * + * @return void + */ +function initNonce () { + $GLOBALS['nonce'] = 1 / (mt_rand() ^ pi()); + print (__FUNCTION__ . ': nonce=' . $GLOBALS['nonce'] . PHP_EOL); +} + +/** + * Sums all hex parts of the hash to one final sum + * + * @param $hash Hex-hash to sum + * @return Sum of hash + */ +function sumHash ($hash) { + // Init it + $sum = 0; + + for ($i = 0; $i < (strlen($hash) / 2); $i++) { + $sum += hexdec(substr($hash, $i, 2)); + } + + return $sum; +} + +/** + * Loads check-point file, if found + * + * @return void + */ +function loadCheckpointFile () { + // Is the check point there? + if (is_readable(CHECK_POINT)) { + // Then load it + $checkPoint = file_get_contents(CHECK_POINT); + + // Explode it + $data = explode('|', $checkPoint); + + // Assert on count + assert(count($data) == 10); + + // 1st element is nonce, 2nd hash, 3rd found hashes + $GLOBALS['total_blocks'] = $data[0]; + $GLOBALS['total_reward'] = $data[1]; + $GLOBALS['total_hashes'] = $data[2]; + $GLOBALS['total_found'] = $data[3]; + $GLOBALS['total_restarts'] = $data[4]; + $GLOBALS['hash_cycles'] = intval($data[5]); + $GLOBALS['salt'] = $data[6]; + $GLOBALS['difficulty'] = $data[7]; + $GLOBALS['nonce'] = (float) base64_decode($data[8]); + $GLOBALS['current_hash'] = $data[9]; + $GLOBALS['root_hash'] = $data[9]; + $GLOBALS['found_hashes'] = json_decode(gzuncompress(base64_decode($data[11]))); + } // END - if +} diff --git a/contrib/chash/lib/scrypt.php b/contrib/chash/lib/scrypt.php new file mode 100644 index 00000000..3f73a71f --- /dev/null +++ b/contrib/chash/lib/scrypt.php @@ -0,0 +1,214 @@ + + * @license http://www.opensource.org/licenses/BSD-2-Clause BSD 2-Clause License + * @link http://github.com/DomBlack/php-scrypt + */ + +/** + * This class abstracts away from scrypt module, allowing for easy use. + * + * You can create a new hash for a password by calling Password::hash($password) + * + * You can check a password by calling Password::check($password, $hash) + * + * @category Security + * @package Scrypt + * @author Dominic Black + * @license http://www.opensource.org/licenses/BSD-2-Clause BSD 2-Clause License + * @link http://github.com/DomBlack/php-scrypt + */ +class Scrypt +{ + + /** + * + * @var int The key length + */ + private static $_keyLength = 32; + + /** + * Get the byte-length of the given string + * + * @param string $str Input string + * + * @return int + */ + protected static function strlen( $str ) { + static $isShadowed = null; + + if ($isShadowed === null) { + $isShadowed = extension_loaded('mbstring') && + ini_get('mbstring.func_overload') & 2; + } + + if ($isShadowed) { + return mb_strlen($str, '8bit'); + } else { + return strlen($str); + } + } + + /** + * Generates a random salt + * + * @param int $length The length of the salt + * + * @return string The salt + */ + public static function generateSalt($length = 8) + { + $buffer = ''; + $buffer_valid = false; + if (function_exists('random_bytes')) { + try { + $buffer = random_bytes($length); + $buffer_valid = true; + } catch (Exception $ignored) { } + } + + if (!$buffer_valid && function_exists('mcrypt_create_iv') && !defined('PHALANGER')) { + $buffer = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); + if ($buffer) { + $buffer_valid = true; + } + } + + if (!$buffer_valid && is_readable('/dev/urandom')) { + $f = fopen('/dev/urandom', 'r'); + $read = static::strlen($buffer); + while ($read < $length) { + $buffer .= fread($f, $length - $read); + $read = static::strlen($buffer); + } + fclose($f); + if ($read >= $length) { + $buffer_valid = true; + } + } + + if (!$buffer_valid) { + throw new Exception("No suitable random number generator available"); + } + + $salt = str_replace(array('+', '$'), array('.', ''), base64_encode($buffer)); + + return $salt; + } + + /** + * Create a password hash + * + * @param string $password The clear text password + * @param string $salt The salt to use, or null to generate a random one + * @param int $N The CPU difficultly (must be a power of 2, > 1) + * @param int $r The memory difficultly + * @param int $p The parallel difficultly + * + * @return string The hashed password + */ + public static function hash($password, $salt = false, $N = 16384, $r = 8, $p = 1) + { + if ($N == 0 || ($N & ($N - 1)) != 0) { + throw new \InvalidArgumentException("N must be > 0 and a power of 2"); + } + + if ($N > PHP_INT_MAX / 128 / $r) { + throw new \InvalidArgumentException("Parameter N is too large"); + } + + if ($r > PHP_INT_MAX / 128 / $p) { + throw new \InvalidArgumentException("Parameter r is too large"); + } + + if ($salt === false) { + $salt = self::generateSalt(); + } else { + // Remove dollar signs from the salt, as we use that as a separator. + $salt = str_replace(array('+', '$'), array('.', ''), base64_encode($salt)); + } + + $hash = scrypt($password, $salt, $N, $r, $p, self::$_keyLength); + + return $N . '$' . $r . '$' . $p . '$' . $salt . '$' . $hash; + } + + /** + * Check a clear text password against a hash + * + * @param string $password The clear text password + * @param string $hash The hashed password + * + * @return boolean If the clear text matches + */ + public static function check($password, $hash) + { + // Is there actually a hash? + if (!$hash) { + return false; + } + + list ($N, $r, $p, $salt, $hash) = explode('$', $hash); + + // No empty fields? + if (empty($N) or empty($r) or empty($p) or empty($salt) or empty($hash)) { + return false; + } + + // Are numeric values numeric? + if (!is_numeric($N) or !is_numeric($r) or !is_numeric($p)) { + return false; + } + + $calculated = scrypt($password, $salt, $N, $r, $p, self::$_keyLength); + + // Use compareStrings to avoid timeing attacks + return self::compareStrings($hash, $calculated); + } + + /** + * Zend Framework (http://framework.zend.com/) + * + * @link http://github.com/zendframework/zf2 for the canonical source repository + * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + * + * Compare two strings to avoid timing attacks + * + * C function memcmp() internally used by PHP, exits as soon as a difference + * is found in the two buffers. That makes possible of leaking + * timing information useful to an attacker attempting to iteratively guess + * the unknown string (e.g. password). + * + * @param string $expected + * @param string $actual + * + * @return boolean If the two strings match. + */ + public static function compareStrings($expected, $actual) + { + $expected = (string) $expected; + $actual = (string) $actual; + $lenExpected = static::strlen($expected); + $lenActual = static::strlen($actual); + $len = min($lenExpected, $lenActual); + + $result = 0; + for ($i = 0; $i < $len; $i ++) { + $result |= ord($expected[$i]) ^ ord($actual[$i]); + } + $result |= $lenExpected ^ $lenActual; + + return ($result === 0); + } +} -- 2.39.2