Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72087 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77136 invoked from network); 3 Feb 2014 16:21:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 16:21:30 -0000 Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.160.50 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.160.50 mail-pb0-f50.google.com Received: from [209.85.160.50] ([209.85.160.50:59722] helo=mail-pb0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 64/86-35654-802CFE25 for ; Mon, 03 Feb 2014 11:21:28 -0500 Received: by mail-pb0-f50.google.com with SMTP id rq2so7257710pbb.9 for ; Mon, 03 Feb 2014 08:21:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Rt2MRIYbsB2x+SKbBBqaBVl/e6014rSd5rOIegzvHXs=; b=b4nV8IVSTy9tJcPOG7vg3sp/LilyMoDpN67hLfrOEkv/AQkP6pTnsSWDn5tjp2m34B WNp6fQp2/ZQ96GVHIAaq5/W54UehfIZrCrjKkwu4c9IDCNrGQaH+UQTHVV/J8hFpasxz UwIkZIX9rOWC/cJahuOMI2qlsffsULplH0ylgnhYb5btQIlpFP6Btudj5QwErQToWs81 Zp+OsMxi20y6DvaoIhLV5Vk07SZQxYRYSSyfwtFCx+m2UEPic2RIkDxTySH89uJNMoAZ s/tVxo3oMJ90W7eFPsC1wrh7Q5+VmA324DhEokx0yaUOQj6k4ui4aro4Hdmh1F4HSpJT bEuw== X-Gm-Message-State: ALoCoQmAQmTVu+fDe8L822J++AfFJu1N5AO94BbQ+tl7wPItR8+gMkzWC4A+oY4qOu5KciasajCO MIME-Version: 1.0 X-Received: by 10.67.22.100 with SMTP id hr4mr37948882pad.112.1391444486044; Mon, 03 Feb 2014 08:21:26 -0800 (PST) Sender: php@golemon.com Received: by 10.70.38.234 with HTTP; Mon, 3 Feb 2014 08:21:25 -0800 (PST) X-Originating-IP: [24.130.180.66] In-Reply-To: <52EF8A59.1050709@ajf.me> References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <52EF8A59.1050709@ajf.me> Date: Mon, 3 Feb 2014 08:21:25 -0800 X-Google-Sender-Auth: MkR4hmi8iBSNv82ER6iwvvTVb60 Message-ID: To: Andrea Faulds Cc: =?ISO-8859-1?Q?Rouven_We=DFling?= , PHP internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: pollita@php.net (Sara Golemon) On Mon, Feb 3, 2014 at 4:23 AM, Andrea Faulds wrote: > On 02/02/14 22:50, Rouven We=DFling wrote: > I've voted yes. However, at the risk of opening more bikeshedding again, = I > should say that I don't think hash_compare is an appropriate name. It's a > timing attack-safe string comparison function, so I think something like > str_equals_time_constant might be better as it is not so much a hash > comparison function as a string comparison function. > I seem to remember that topic coming up (and I agree with you), but I don't recall anyone coming up with a universally liked name. I suppose something is better than nothing. -Sara