Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70849 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98850 invoked from network); 23 Dec 2013 09:45:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Dec 2013 09:45:38 -0000 Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender) X-PHP-List-Original-Sender: me@rouvenwessling.de X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6 Received: from [5.35.242.46] ([5.35.242.46:60897] helo=lvps5-35-242-46.dedicated.hosteurope.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 23/43-08405-14608B25 for ; Mon, 23 Dec 2013 04:45:38 -0500 Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001) id 6514F1AF6C00D; Mon, 23 Dec 2013 10:45:34 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lvps5-35-242-46.dedicated.hosteurope.de X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 Received: from [192.168.0.124] (ip-88-152-3-96.unitymediagroup.de [88.152.3.96]) by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id 726611AF6C00B; Mon, 23 Dec 2013 10:45:31 +0100 (CET) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) In-Reply-To: <52B7209C.2040802@ajf.me> Date: Mon, 23 Dec 2013 10:45:29 +0100 Cc: List PHP Mailing List Content-Transfer-Encoding: quoted-printable Message-ID: <3EFE191D-2A93-47E9-805D-538950849C96@rouvenwessling.de> References: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> <52B7209C.2040802@ajf.me> To: Andrea Faulds , yohgaki@ohgaki.net, Tjerk Meesters , Joe Watkins X-Mailer: Apple Mail (2.1822) Subject: Re: [PHP-DEV] [RFC] Timing attack safe string comparison function From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=) Thanks everyone for your feedback, answers inline. On 22.12.2013, at 18:25, Andrea Faulds wrote: > I note your patch uses C++-style (// foobar) comments. However, = according to the coding standards[0], only C-style (/* foobar */) = comments should be used. Thanks for the hint, I changed the patch accordingly. On 23.12.2013, at 00:55, Yasuo Ohgaki wrote: > As you mentioned in code, users should not use when known or user = supplied string > is null. >=20 > How about add E_NOTICE error for that case? > If user shouldn't then we are better to warn them. That's a fair point, but I expect people would in that case just do = their own check of strlen() =3D=3D=3D 0 and error out and nothing is = gained. Maybe we can find a way to not need the check at all. (see next = response) > Comparison is good since it always does the same operation based on = user supplied > string. (Unless compiler does optimizations that I don't expect) Thanks for checking that, the people do the better. On 23.12.2013, at 02:26, Tjerk Meesters = wrote: > On the whole it looks okay. >=20 > The special branch for `known_len =3D=3D 0 && user_len !=3D 0` can be = avoided by doing something like this: >=20 > mod_len =3D max(known_len, 1); >=20 > And then use `j % mod_len` instead of `j % known_len` to avoid a = division by zero; since `x mod 1` always yields `0` you will always be = comparing against the null byte of the known string. This looks like a good approach, but I was under the impression, that = PHP strings aren't guaranteed to have a terminating null byte. Am I = mistaken? On 23.12.2013, at 10:09, Joe Watkins wrote: > This does not appear to solve any problems, it appears to add = another function, for that function to solve any problems it must be = deployed. > So the RFC relies on everyone swapping out every security = sensitive string comparison with the new function, which simply will not = happen. It's true that adding this function won't magically make any application = safer. The whole point is making it easier for application developers - = especially those not using a huge framework - to use a string comparison = algorithm that - hopefully - many people have reviewed. Also if there's = an issue, this will be fixed by the regular PHP updates (or = distributions backports) > I'm up for doing something about security, however, this doesn't = actually do that, what it does is add a (generically named) function = that nobody is very likely to deploy, and doesn't fix the vulnerability = in existing code ... which surely has to be the aim of anything targeted = at security - existing code. >=20 > Obviously, we cannot really change all string comparisons to use = security sensitive logic, so this isn't something we can really solve = everywhere from the core, some action must be taken by the user ... As you mention yourself, we obviously can't force every string = comparison to be time constant. This means there's no "magic bullet" and = I think this is the second best thing to do. > It might have more traction if the function were named = password_compare or hash_compare or something similar that gives = everyone the idea that it is not simply a string comparison function but = the correct way to verify in particular passwords/hashes or whatever. = I'd be much more inclined to say that's a good idea, providing a full = set of tools for password related foo. I don't care about the name at all (it's mentioned as an open issue in = the RFC), it's admittedly the second one that came to my mind (after = str_compare_time_constant which is way too long). hash_compare does = sound pretty good though. Best regards Rouven=