Constant time comparison for codes

sonata-project · Mar 17, 2018 · f4f4be1 · f4f4be1
1 parent 789fd1c
commit f4f4be1
Showing 1 changed file with 6 additions and 10 deletions.
diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php
@@ -78,24 +78,20 @@ public function __construct(int $passCodeLength = 6, int $secretLength = 10, \Da
      */
     public function checkCode($secret, $code): bool
     {
+        $result = 0;
+
         // current period
-        if (hash_equals($this->getCode($secret, $this->now), $code)) {
-            return true;
-        }
+        $result += hash_equals($this->getCode($secret, $this->now), $code);
 
         // previous period, happens if the user was slow to enter or it just crossed over
         $dateTime = new \DateTimeImmutable('@'.($this->now->getTimestamp() - $this->codePeriod));
-        if (hash_equals($this->getCode($secret, $dateTime), $code)) {
-            return true;
-        }
+        $result += hash_equals($this->getCode($secret, $dateTime), $code);
 
         // next period, happens if the user is not completely synced and possibly a few seconds ahead
         $dateTime = new \DateTimeImmutable('@'.($this->now->getTimestamp() + $this->codePeriod));
-        if (hash_equals($this->getCode($secret, $dateTime), $code)) {
-            return true;
-        }
+        $result += hash_equals($this->getCode($secret, $dateTime), $code);
 
-        return false;
+        return $result > 0;
     }
 
     /**