/**
* Compares whether two strings are equal. To prevent guessing of the string
* length this is done by comparing two hashes against each other and afterwards
* a comparison of the real string to prevent against the unlikely chance of
* collisions.
* @param string $expected The expected value
* @param string $input The input to compare against
* @return bool True if the two strings are equal, otherwise false.
*/
public static function equals($expected, $input)
{
return \OC\Security\StringUtils::equals($expected, $input);
}
/**
* @dataProvider dataProvider
*/
function testTrueEquals($string, $expected)
{
$this->assertTrue(StringUtils::equals($string, $expected));
}
/**
* Verify legacy hashes
* @param string $message Message to verify
* @param string $hash Assumed hash of the message
* @param null|string &$newHash Reference will contain the updated hash
* @return bool Whether $hash is a valid hash of $message
*/
protected function legacyHashVerify($message, $hash, &$newHash = null)
{
if (empty($this->legacySalt)) {
$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
}
// Verify whether it matches a legacy PHPass or SHA1 string
$hashLength = strlen($hash);
if ($hashLength === 60 && password_verify($message . $this->legacySalt, $hash) || $hashLength === 40 && StringUtils::equals($hash, sha1($message))) {
$newHash = $this->hash($message);
return true;
}
return false;
}
