Exception
5 years ago
WebAuthException
5 years ago
certs
5 years ago
AppInfo.php
5 years ago
AppInfoLoadException.php
5 years ago
ArrayEntryStore.php
5 years ago
AuthBase.php
5 years ago
AuthInfo.php
5 years ago
AuthInfoLoadException.php
5 years ago
Checker.php
5 years ago
Client.php
5 years ago
Curl.php
5 years ago
CurlStreamRelay.php
5 years ago
DeserializeException.php
5 years ago
DropboxMetadataHeaderCatcher.php
5 years ago
Exception.php
5 years ago
Host.php
5 years ago
HttpResponse.php
5 years ago
OAuth1AccessToken.php
5 years ago
OAuth1Upgrader.php
5 years ago
Path.php
5 years ago
RequestUtil.php
5 years ago
RootCertificates.php
5 years ago
SSLTester.php
5 years ago
Security.php
5 years ago
StreamReadException.php
5 years ago
Util.php
5 years ago
ValueStore.php
5 years ago
WebAuth.php
5 years ago
WebAuthBase.php
5 years ago
WebAuthNoRedirect.php
5 years ago
WriteMode.php
5 years ago
autoload.php
5 years ago
strict.php
5 years ago
Security.php
68 lines
| 1 | <?php |
| 2 | namespace Dropbox; |
| 3 | |
| 4 | /** |
| 5 | * Helper functions for security-related things. |
| 6 | */ |
| 7 | class Security |
| 8 | { |
| 9 | /** |
| 10 | * A string equality function that compares strings in a way that isn't suceptible to timing |
| 11 | * attacks. An attacker can figure out the length of the string, but not the string's value. |
| 12 | * |
| 13 | * Use this when comparing two strings where: |
| 14 | * - one string could be influenced by an attacker |
| 15 | * - the other string contains data an attacker shouldn't know |
| 16 | * |
| 17 | * @param string $a |
| 18 | * @param string $b |
| 19 | * @return bool |
| 20 | */ |
| 21 | static function stringEquals($a, $b) |
| 22 | { |
| 23 | // Be strict with arguments. PHP's liberal types could get us pwned. |
| 24 | if (func_num_args() !== 2) { |
| 25 | throw new \InvalidArgumentException("Expecting 2 args, got ".func_num_args()."."); |
| 26 | } |
| 27 | Checker::argString("a", $a); |
| 28 | Checker::argString("b", $b); |
| 29 | |
| 30 | $len = strlen($a); |
| 31 | if (strlen($b) !== $len) return false; |
| 32 | |
| 33 | $result = 0; |
| 34 | for ($i = 0; $i < $len; $i++) { |
| 35 | $result |= ord($a[$i]) ^ ord($b[$i]); |
| 36 | } |
| 37 | return $result === 0; |
| 38 | } |
| 39 | |
| 40 | /** |
| 41 | * Returns cryptographically strong secure random bytes (as a PHP string). |
| 42 | * |
| 43 | * @param int $numBytes |
| 44 | * The number of bytes of random data to return. |
| 45 | * |
| 46 | * @return string |
| 47 | */ |
| 48 | static function getRandomBytes($numBytes) |
| 49 | { |
| 50 | Checker::argIntPositive("numBytes", $numBytes); |
| 51 | |
| 52 | // openssl_random_pseudo_bytes had some issues prior to PHP 5.3.4 |
| 53 | if (function_exists('openssl_random_pseudo_bytes') |
| 54 | && version_compare(PHP_VERSION, '5.3.4') >= 0) { |
| 55 | $s = openssl_random_pseudo_bytes($numBytes, $isCryptoStrong); |
| 56 | if ($isCryptoStrong) return $s; |
| 57 | } |
| 58 | |
| 59 | if (function_exists('mcrypt_create_iv')) { |
| 60 | return mcrypt_create_iv($numBytes); |
| 61 | } |
| 62 | |
| 63 | // Hopefully the above two options cover all our users. But if not, there are |
| 64 | // other platform-specific options we could add. |
| 65 | throw new \Exception("no suitable random number source available"); |
| 66 | } |
| 67 | } |
| 68 |