Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70841 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67715 invoked from network); 22 Dec 2013 23:55:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Dec 2013 23:55:47 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com Received: from [209.85.217.173] ([209.85.217.173:46059] helo=mail-lb0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/5D-04050-10C77B25 for ; Sun, 22 Dec 2013 18:55:46 -0500 Received: by mail-lb0-f173.google.com with SMTP id z5so2033374lbh.32 for ; Sun, 22 Dec 2013 15:55:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=lh61I+/LPRXxD5gC6p8Wwn86/CiyKnShXJttDp1pMXs=; b=rur9iCKWIECxnstdPYY+6c+WgvtL1h+RW/x3h5KviQppvKnIqaV1HpV496z3pRe6lp 4h6KrmQ8zz0xgGwbraaaC41R2Mf4AYG01pT42PF/JJ8/vDsWgJ63MdxVBFtmQIx+XQs/ Mgr2owuQM5DcbChC1T46igAFqo/wMT9h8fZVaXGGO6dl7OjATlFnWP55vElqxW9gOaf4 7UYCkdHGtuSa/mZAy5345s/SxDJ6wM0Mhl3fwMmis69Htx8fecM0cMG5EwhMpLzC+HTV CmuIkEZxnGu7VKh4NG0UEjAOL25zdsy7kK1YEDC85KBJzvL+LsoVlnHOg6q2Ate+8Zd0 Arsw== X-Received: by 10.112.157.194 with SMTP id wo2mr23355lbb.78.1387756542985; Sun, 22 Dec 2013 15:55:42 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.6.68 with HTTP; Sun, 22 Dec 2013 15:55:02 -0800 (PST) In-Reply-To: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> References: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> Date: Mon, 23 Dec 2013 08:55:02 +0900 X-Google-Sender-Auth: CNAae3hyxBoI_GswwoJ-F5G3l6o Message-ID: To: =?UTF-8?Q?Rouven_We=C3=9Fling?= Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c33f5ec78b4f04ee283f62 Subject: Re: [PHP-DEV] [RFC] Timing attack safe string comparison function From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c33f5ec78b4f04ee283f62 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Rouven, On Mon, Dec 23, 2013 at 2:08 AM, Rouven We=C3=9Fling = wrote: > I'd like to propose this RFC to introduce a time-constant string > comparison function: https://wiki.php.net/rfc/timing_attack > > I will not open the voting before January 7 to account for ho > As you mentioned in code, users should not use when known or user supplied string is null. How about add E_NOTICE error for that case? If user shouldn't then we are better to warn them. Comparison is good since it always does the same operation based on user supplied string. (Unless compiler does optimizations that I don't expect) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c33f5ec78b4f04ee283f62--