support versions of PHP without hash_equals()

fulcrm_crypto.module

@@ -34,9 +34,25 @@ function fulcrm_crypto_object_id_hmac( $object_type, $object_id ) {
     return drupal_hmac_base64( 'fulcrm:' . strval( $object_id ) . ':' . $object_type, session_id() . drupal_get_hash_salt() );
 }
 
+function fulcrm_crypto_hash_equals( $real_hmac, $hmac ) {
+    if ( function_exists( 'hash_equals' ) ) {
+        return hash_equals( $real_hmac, $hmac );
+    } else {
+        if ( strlen( $real_hmac ) != strlen( $hmac ) )
+            return false;
+        $xor = $real_hmac ^ $hmac;
+        $residual = 0;
+        for ( $i = strlen( $xor ) - 1; $i >= 0; $i-- )
+            $residual |= ord( $residual[ $i ] );
+        if ( $residual == 0 )
+            return true;
+        return false;
+    }
+}
+
 function fulcrm_crypto_check_object_id_hmac( $object_type, $object_id, $hmac ) {
     $real_hmac = fulcrm_crypto_object_id_hmac( $object_type, $object_id );
-    return hash_equals( $real_hmac, $hmac );
+    return fulcrm_crypto_hash_equals( $real_hmac, $hmac );
 }
 
 function fulcrm_crypto_object_id_form_value( $object_type, $object_id ) {
@@ -50,7 +66,7 @@ function fulcrm_crypto_get_object_id_form_value( $object_type, $form_value ) {
         $hmac = $bits[ 1 ];
         $real_hmac = fulcrm_crypto_object_id_hmac( $object_type, $object_id );
 
-        if ( hash_equals( $real_hmac, $hmac ) )
+        if ( fulcrm_crypto_hash_equals( $real_hmac, $hmac ) )
             return $object_id;
     }
     return NULL;