Add constant time explaination

sonata-project · Mar 17, 2018 · f874c50 · f874c50
1 parent f4f4be1
commit f874c50
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php
@@ -78,6 +78,14 @@ public function __construct(int $passCodeLength = 6, int $secretLength = 10, \Da
      */
     public function checkCode($secret, $code): bool
     {
+        /**
+         * The result of each comparison is accumulated here instead of using a guard clause
+         * (https://refactoring.com/catalog/replaceNestedConditionalWithGuardClauses.html). This is to implement
+         * constant time comparison to make side-channel attacks harder. See
+         * https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time for details.
+         * Each comparison uses hash_equals() instead of an operator to implement constant time equality comparison
+         * for each code.
+         */
         $result = 0;
 
         // current period