Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72110 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18970 invoked from network); 3 Feb 2014 19:58:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 19:58:25 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.171 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.171 mail-yk0-f171.google.com Received: from [209.85.160.171] ([209.85.160.171:41992] helo=mail-yk0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 95/4F-35654-0E4FFE25 for ; Mon, 03 Feb 2014 14:58:24 -0500 Received: by mail-yk0-f171.google.com with SMTP id 142so41457391ykq.2 for ; Mon, 03 Feb 2014 11:58:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XzxU+Kr+rZ7b2vChrRu0yhxovvUnIxUmYqy6LKIweME=; b=K6NcPA8Xa0VGW0LZZaI8A8HGakp8cAgVhLkkmdZU1Wx8t2SKtU2tyfmMu5rjlFTMSD 1Gmj53EtV7duVww9ZsxnKHGt8l8MwNF/epi5d1yAONX6dNHI04l0WEoD3EnE6PmsM0m3 Azw4trKi/QLyqMw/pNHenOBVJ+lz3W93ADPWUCgvd6OtIxEMJY7Ph/9GwbS3cXaIVwoN OPtrzq3Kha9+HAAMFzNp1KzIXLIEjkSg8ZfT8C9EUglLdDXJfUlLeAJI88O85QlRG2lG 8INYa3vabLmBHYYwfy7P1VJwuHo23wxKmpfx1an8src0HTJapXx2/7ReORv1c6hD5fky Vskw== MIME-Version: 1.0 X-Received: by 10.236.143.148 with SMTP id l20mr2432430yhj.102.1391457501347; Mon, 03 Feb 2014 11:58:21 -0800 (PST) Received: by 10.170.215.130 with HTTP; Mon, 3 Feb 2014 11:58:21 -0800 (PST) In-Reply-To: References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> Date: Mon, 3 Feb 2014 19:58:21 +0000 Message-ID: To: Nikita Popov Cc: =?UTF-8?Q?Rouven_We=C3=9Fling?= , PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi Nikita, On 3 February 2014 17:10, Nikita Popov wrote: > Did your code already get reviewed by someone with understanding of the > issue? From a quick glance, two potential issues: > * You are using MAX, i.e. an if-then-else branch. I'm pretty sure that t= he > if and else branches will have different instruction counts in that case. > Simple alternative would be something fixed like mod_len =3D known_len+1 = or > known_len&1. > * You leak information on mod_len / known_len, because you will have > different cache access patterns for comparing always the same 10 memory > positions and 10000 different ones, at least I'd assume so. > I don't know how you can prevent the latter issue, and if it is possible = at > all. Personally I'd just drop the length magic and explicitly document it > to be safe for equal-length strings only. In any case you should have thi= s > reviewed by someone with more than just a cursory understanding of the > matter. The constant time comparison function, which is fairly standard at this point, doesn't protect length - only the timing of comparing two strings. The inputs should have identical length otherwise it's being used inappropriately. It may seem that length being leaked is bad, but it's assumed to be a predictable factor in hashing passwords, etc. That may get taken for granted given how and where it's implemented in userland so an exception is not out of the question for a base function where lengths do differ. Paddy --=20 -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative