Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58989
Return-Path: <sam.e.giles@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 58779 invoked from network); 18 Mar 2012 00:04:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Mar 2012 00:04:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=sam.e.giles@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=sam.e.giles@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: sam.e.giles@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-wg0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:36624] helo=mail-wg0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id ED/93-43639-186256F4 for <internals@lists.php.net>; Sat, 17 Mar 2012 19:04:17 -0500
Received: by wgbdq13 with SMTP id dq13so439836wgb.11
        for <internals@lists.php.net>; Sat, 17 Mar 2012 17:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type;
        bh=8M3bfMaHJsJmlBVIGe3negWAilGP2RdGPo16uemGL40=;
        b=Jvq4acMgFUFWGCcil2Kwn/CmhHyOuLLKySD4sT+aCZHJW0O3noUvhLy1oogh8ccvy8
         txLG8FwBBBWf2Gx5UbJniG3SSPBT5mD6S3q5Zg0LOlbsAEHr+YSWcKmwhgjQFzs5NTd9
         AgzqwhRxz2PQrACqsUxfd8Fr3clfhKBlyjzV7IjZJ/lvtj56N/DLnGQacziQGSEv3RRW
         m+o6KKElcn+6+UrSupX7yYgzV5x9zMxgQSV3g2E807zkGLWmYH4AwJcoY8siXj2FzItL
         eP2HXml+CiNCotFj9U6CYA2i3lN3HbCaifknHg08glu3ZqDnI2zMIT8fpX5VZBE46ZfC
         A3gQ==
Received: by 10.180.97.41 with SMTP id dx9mr8969872wib.9.1332029054166;
        Sat, 17 Mar 2012 17:04:14 -0700 (PDT)
Received: from [192.168.1.104] (cpc9-soli5-2-0-cust33.perr.cable.virginmedia.com. [77.100.2.34])
        by mx.google.com with ESMTPS id df3sm12059007wib.1.2012.03.17.17.04.13
        (version=SSLv3 cipher=OTHER);
        Sat, 17 Mar 2012 17:04:13 -0700 (PDT)
Message-ID: <4F65267D.3040005@googlemail.com>
Date: Sun, 18 Mar 2012 00:04:13 +0000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAJWj5+HwwLCzc2QXkYgTba+6CT5Liae3ZG2TrCThqx+C6mkS8A@mail.gmail.com> <CAJWj5+HPtUTnmqC83AasB8SqaPBBY98sEivBjDrwkaMMfjzuZA@mail.gmail.com>
In-Reply-To: <CAJWj5+HPtUTnmqC83AasB8SqaPBBY98sEivBjDrwkaMMfjzuZA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------060000040504010007000205"
Subject: Re: [PHP-DEV] Randomize hash-function in php
From: sam.e.giles@gmail.com (Sam)

--------------060000040504010007000205
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 17/03/12 23:17, Simon Schick wrote:
> Hi, All
>
> I just came around that talk a couple of days ago ..
> http://www.youtube.com/watch?v=R2Cq3CLI6H8
>
> I don't know much about hash-maps and internal php-stuff at all, but
> they say that the fix provided in 5.3.9 (and 5.4.0) is more a
> work-around than a fix ...
> Would it be an option to provide a real fix in PHP 6.0? They got the
> feedback that this will take some time and is not trivial, but we have
> a good time before PHP6 and can also break backwards compatibility for
> php-plugins if really necessary.
>
> As they said in the movie, PHP seems to have the algorithm DJBX33A
> implemented as Ruby. So as they're so proud of the fix provided by the
> Ruby-Team, may we can use that for PHP as well :)
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4815
>
> This is not much because some attacker can do something, but what if
> you have a real-world-application that (for some reason) build up an
> array that just will blow up because of that? I haven't experienced
> that until now, but it's possible ...
>
> Bye
> Simon
>

Hi,

Fairly new to this list so go easy :P..

Anyway I was looking at the hash function in PHP the other week, and was 
playing around with some different implementations.  DJBX33A is fast, 
which I guess is why PHP uses it as it is hit so many times in the 
execution.

However I tried and benchmarked a few different algorithms, I didn't try 
the patch you mentioned, however the only algorithm that came anywhere 
close to matching the DJBX33A method is Paul Hseih's Super Fast Hash 
algorithm: http://www.azillionmonkeys.com/qed/hash.html

I benchmarked the DJBX33A against Hseih's algorithm and compared the 
results using an Intel x86 architecture and an AMD 64 machine and both 
algorithms performed similarly.  The benchmarks weren't robust as they 
were only quick, 'let's hack and see' tests.  Would be interesting if 
anyone else has had a go.

If I can find it I'll post a patch so you could?

Cheers

Sam



--------------060000040504010007000205--