Timing attack possible on Phalcon\Security::checkHash() ?

[moderndeveloperllc]

While doing a userland class to allow the use of scrypt hashing in Phalcon, I came across lots of talk about theoretical timing attacks on hash/encyption checking functions. The issue comes about with C function memcmp() internally used by PHP. Basically, it returns on the first non-equal byte, which can provide timing info to allow iterative guessing of the string. Other vendors have added utility functions to do constant-time string comparison. I noticed that the checkHash() function uses the is_equal_function C function. I believe that this has the same issue, but I'm not totally sure. Perhaps something to think about for 2.0?

This was on my todo list for the past 5 months 😕

[moderndeveloperllc]

Sorry, I tried to see if there was already an issue logged for this. Thanks for getting this in!

The fix has been merged into both 1.2.5 and 1.3.0.