Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72120 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35187 invoked from network); 3 Feb 2014 21:05:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 21:05:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:47892] helo=mail-la0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/B2-35654-D8400F25 for ; Mon, 03 Feb 2014 16:05:18 -0500 Received: by mail-la0-f48.google.com with SMTP id mc6so5729817lab.21 for ; Mon, 03 Feb 2014 13:05:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=GdTj/OiLxLB0fU2vLm+HYpi0oRT0LYhtzvwp92N9kO8=; b=SBXvdjmfk1HLQpiqe9sKBqNI3tc3fFcXAC7YRkGNIPSEYgRe09ajvMrE2YgxFYRuLz gJ655pXEImEjnCZWHjdlxu58KwMRNAygP8PjvLieqS/XQhOtDBRJqmj5sPogX7upucOI CD1HbWkUv5JURL01mY/L67aiVYLt2hLD52bm9pZHPAyNViIMgAuSxQElt66103/6V4J/ PRwZimxeof1OVUPAFdhHrnM975p2HlOt9pm1mkoX4V5F/9th6jPl+/CP7Ygzxe6bmgRk Djwq55/0Z+0GhupCedXOiCe7NMjIiqzjfV9omYj8pDnOS0xrUo3faBHhtppezE9B51va LkiA== X-Received: by 10.112.148.104 with SMTP id tr8mr2887326lbb.42.1391461515132; Mon, 03 Feb 2014 13:05:15 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 13:04:35 -0800 (PST) In-Reply-To: References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> Date: Tue, 4 Feb 2014 06:04:35 +0900 X-Google-Sender-Auth: swWmr9T-Siqt9CJCR3JHuaw5T5Q Message-ID: To: Nikita Popov Cc: =?UTF-8?Q?Rouven_We=C3=9Fling?= , PHP internals Content-Type: multipart/alternative; boundary=047d7b3a83005403bd04f186e197 Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: yohgaki@ohgaki.net (Yasuo Ohgaki) --047d7b3a83005403bd04f186e197 Content-Type: text/plain; charset=UTF-8 Hi all, We can be more conservative. So 127 is not long enough for SHA-512, make it 256 for larger hashes? On Tue, Feb 4, 2014 at 5:57 AM, Yasuo Ohgaki wrote: > Length leak is known issue and we may improve these. There was discussion > for this. > For the sake of completeness, we may address issues now or later. > > To be honest, I think length leak must be avoided especially for shorter > strings. > It would be better to iterate at least 100 times regardless of input. > > Perhaps, something like > > + /** > + * If known_string has a length of 0 we set the length to 1, > + * this will cause us to compare all bytes of userString with the null > byte which fails > + */ > + mod_len = MAX(known_len, 1); > len = MAX(known_len, 127); > len = MAX(known_len, 256); > + > + /* This is security sensitive code. Do not optimize this for speed. */ > + result = known_len - user_len; > > + for (j = 0; j < user_len; j++) { > > for (j = 0; j < len; j++) { > > > + result |= known_str[j % mod_len] ^ user_str[j]; > > result |= known_str[j % known_len] ^ user_str[j % user_len]; > + } > Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --047d7b3a83005403bd04f186e197--