ilBasePasswordEncoder Class Reference

Inheritance diagram for ilBasePasswordEncoder:

Collaboration diagram for ilBasePasswordEncoder:

Data Fields
const	MAX_PASSWORD_LENGTH = 4096

Protected Member Functions
	comparePasswords ($known_string, $user_string)
	Compares two passwords. More...
	isPasswordTooLong ($password)
	Checks if the password is too long. More...

Additional Inherited Members
Public Member Functions inherited from ilPasswordEncoder
	encodePassword ($raw, $salt)
	Encodes the raw password. More...
	isPasswordValid ($encoded, $raw, $salt)
	Checks a raw password against an encoded password. More...
	getName ()
	Returns a unique name/id of the concrete password encoder. More...
	requiresSalt ()
	Returns whether or not the encoder requires a salt. More...

Detailed Description

Definition at line 11 of file class.ilBasePasswordEncoder.php.

Member Function Documentation

comparePasswords()

ilBasePasswordEncoder::comparePasswords (   $known_string,   $user_string  )

protected

Compares two passwords.

This method implements a constant-time algorithm to compare passwords to avoid (remote) timing attacks. @url http://codahale.com/a-lesson-in-timing-attacks/

Parameters

string	$known_string	The first password
string	$user_string	The second password

Returns

Boolean true if the two passwords are the same, false otherwise

Definition at line 27 of file class.ilBasePasswordEncoder.php.

        {
                // Prevent issues if string length is 0
                $known_string .= chr(0);
                $user_string  .= chr(0);
 
                $known_string_length = strlen($known_string);
                $user_string_length  = strlen($user_string);
 
                // Set the result to the difference between the lengths
                $result = $known_string_length - $user_string_length;
 
                // Note that we ALWAYS iterate over the user-supplied length
                // This is to prevent leaking length information
                for($i = 0; $i < $user_string_length; $i++)
                {
                        // Using % here is a trick to prevent notices
                        // It's safe, since if the lengths are different
                        // $result is already non-0
                        $result |= (ord($known_string[$i % $known_string_length]) ^ ord($user_string[$i]));
                }
 
                // They are only identical strings if $result is exactly 0...
                return 0 === $result;
        }

References $result.

Referenced by ilMd5PasswordEncoder\isPasswordValid().

Here is the caller graph for this function:

isPasswordTooLong()

ilBasePasswordEncoder::isPasswordTooLong (   $password )

protected

Checks if the password is too long.

Parameters

string

$password

The password

Returns

bool true if the password is too long, false otherwise

Definition at line 58 of file class.ilBasePasswordEncoder.php.

        {
                return strlen($password) > self::MAX_PASSWORD_LENGTH;
        }

References MAX_PASSWORD_LENGTH.

Referenced by ilBcryptPasswordEncoder\encodePassword(), ilMd5PasswordEncoder\encodePassword(), ilBcryptPasswordEncoder\isPasswordValid(), and ilMd5PasswordEncoder\isPasswordValid().

Here is the caller graph for this function:

Field Documentation

MAX_PASSWORD_LENGTH

const ilBasePasswordEncoder::MAX_PASSWORD_LENGTH = 4096

Definition at line 16 of file class.ilBasePasswordEncoder.php.

Referenced by isPasswordTooLong().

---

The documentation for this class was generated from the following file:

• Services/Password/classes/class.ilBasePasswordEncoder.php