Re: [VOTE] Timing attack safe string comparison function

From: Date: Sun, 23 Feb 2014 18:31:38 +0000
Subject: Re: [VOTE] Timing attack safe string comparison function
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hello together,

I've updated the patch, taking the following feedback into account:
-Renamed function to hash_equals
-Error out early in case string lengths are not equal (I've maintained the name known_string
and user_string too allow improving this in the future, also makes for a nicer error message)
-Only allow strings to be compared

The patch can be found here: https://github.com/realityking/php-src/compare/hash_equals

If anyone thinks, that this needs a new RFC please say so.

Best regards
Rouven
 
On 23.02.2014, at 16:11, Rouven Weßling <[email protected]> wrote:

> I'm incredibly sorry I haven't been able to get back to this earlier.
> 
> The RFC was accepted 22 to 1. As there was an abundance of feedback during the voting period
> and beyond I'll update the implementation accordingly. After that I'll discuss whether
> this goes into 5.6 or 5.7 with the RMs.
> 
> Best regards
> Rouven
> 
> On 02.02.2014, at 23:50, Rouven Weßling <[email protected]> wrote:
> 
>> Hi internals,
>> 
>> as I've received no further feedback I've opened the voting on "Timing
>> attack safe string comparison function":
>> 
>> - https://wiki.php.net/rfc/timing_attack
>> 
>> Voting ends on 2014/02/09 11:00PM UTC
>> 
>> Best regards
>> Rouven
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>> 
> 
> 
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
> 



Thread (54 messages)

« previous php.internals (#72771) next »