Permalink
Browse files

Some docs cleanup

  • Loading branch information...
1 parent 7bc0095 commit a088a2604b1e52517d0657403cac8a14d7b41c26 @ircmaxell committed Apr 16, 2012
Showing with 10 additions and 3 deletions.
  1. +8 −0 lib/PasswordLib/Password/AbstractPassword.php
  2. +2 −3 lib/PasswordLib/PasswordLib.php
View
8 lib/PasswordLib/Password/AbstractPassword.php
@@ -55,10 +55,18 @@ public static function getPrefix() {
/**
* Perform a constant time comparison between two hash strings
+ *
+ * This is done to prevent remote timing attacks from giving an attacker
+ * information about the hash remotely. This provides a constant runtime
+ * equality check between two strings of the same length. This should be used
+ * any time sensitive information is compared, as === can leak information
+ * about the position of the difference to an attacker.
*
* @param string $hash1 The first hash to compare
* @param string $hash2 The second hash to compare
*
+ * @see http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
+ * @see http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
* @return boolean True if the strings are identical
*/
protected function compareStrings($hash1, $hash2) {
View
5 lib/PasswordLib/PasswordLib.php
@@ -154,9 +154,8 @@ public function shuffleArray(array $array) {
* @return string The shuffled string
*/
public function shuffleString($string) {
- $factory = new RandomFactory;
- $array = str_split($string);
- $result = $this->shuffleArray($array);
+ $array = str_split($string);
+ $result = $this->shuffleArray($array);
return implode('', $result);
}

0 comments on commit a088a26

Please sign in to comment.