Hello together,
I've updated the patch, taking the following feedback into account:
-Renamed function to hash_equals
-Error out early in case string lengths are not equal (I've maintained the name known_string
and user_string too allow improving this in the future, also makes for a nicer error message)
-Only allow strings to be compared
The patch can be found here: https://github.com/realityking/php-src/compare/hash_equals
If anyone thinks, that this needs a new RFC please say so.
Best regards
Rouven
On 23.02.2014, at 16:11, Rouven Weßling <[email protected]> wrote:
> I'm incredibly sorry I haven't been able to get back to this earlier.
>
> The RFC was accepted 22 to 1. As there was an abundance of feedback during the voting period
> and beyond I'll update the implementation accordingly. After that I'll discuss whether
> this goes into 5.6 or 5.7 with the RMs.
>
> Best regards
> Rouven
>
> On 02.02.2014, at 23:50, Rouven Weßling <[email protected]> wrote:
>
>> Hi internals,
>>
>> as I've received no further feedback I've opened the voting on "Timing
>> attack safe string comparison function":
>>
>> - https://wiki.php.net/rfc/timing_attack
>>
>> Voting ends on 2014/02/09 11:00PM UTC
>>
>> Best regards
>> Rouven
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>