Use hash_equals in password.php (and move it to funcs.php)

Signed-off-by: Mcat12 <newtoncat12@yahoo.com>

scripts/pi-hole/php/auth.php

@@ -92,26 +92,6 @@ function check_csrf($token) {
         session_start();
     }
 
-    // Credit: http://php.net/manual/en/function.hash-equals.php#119576
-    if(!function_exists('hash_equals')) {
-        function hash_equals($known_string, $user_string) {
-            $ret = 0;
-
-            if (strlen($known_string) !== strlen($user_string)) {
-                $user_string = $known_string;
-                $ret = 1;
-            }
-
-            $res = $known_string ^ $user_string;
-
-            for ($i = strlen($res) - 1; $i >= 0; --$i) {
-                $ret |= ord($res[$i]);
-            }
-
-            return !$ret;
-        }
-    }
-
     if(!isset($_SESSION['token']) || empty($token) || !hash_equals($_SESSION['token'], $token)) {
         log_and_die("Wrong token");
     }

scripts/pi-hole/php/func.php

@@ -25,4 +25,24 @@ function checkfile($filename) {
     }
 }
 
+// Credit: http://php.net/manual/en/function.hash-equals.php#119576
+if(!function_exists('hash_equals')) {
+    function hash_equals($known_string, $user_string) {
+        $ret = 0;
+
+        if (strlen($known_string) !== strlen($user_string)) {
+         $user_string = $known_string;
+         $ret = 1;
+        }
+
+        $res = $known_string ^ $user_string;
+
+        for ($i = strlen($res) - 1; $i >= 0; --$i) {
+         $ret |= ord($res[$i]);
+        }
+
+        return !$ret;
+   }
+}
+
 ?>

scripts/pi-hole/php/password.php

@@ -6,6 +6,8 @@
 *  This file is copyright under the latest version of the EUPL.
 *  Please see LICENSE file for your rights under this license. */
 
+    require('func.php');
+
     // Start a new PHP session (or continue an existing one)
     session_start();
 
@@ -37,7 +39,7 @@
         if(isset($_POST["pw"]))
         {
             $postinput = hash('sha256',hash('sha256',$_POST["pw"]));
-            if($postinput == $pwhash)
+            if(hash_equals($pwhash, $postinput))
             {
                 $_SESSION["hash"] = $pwhash;
 
@@ -57,13 +59,13 @@
         // Compare auth hash with saved hash
         else if (isset($_SESSION["hash"]))
         {
-            if($_SESSION["hash"] == $pwhash)
+            if(hash_equals($pwhash, $_SESSION["hash"]))
                 $auth = true;
         }
         // API can use the hash to get data without logging in via plain-text password
         else if (isset($api) && isset($_GET["auth"]))
         {
-            if($_GET["auth"] == $pwhash)
+            if(hash_equals($pwhash, $_GET["auth"]))
                 $auth = true;
         }
         else