Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72310
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6680 invoked from network); 6 Feb 2014 01:29:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2014 01:29:37 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:64966] helo=mail-lb0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4D/3D-38005-085E2F25 for <internals@lists.php.net>; Wed, 05 Feb 2014 20:29:36 -0500
Received: by mail-lb0-f178.google.com with SMTP id u14so947794lbd.37
        for <internals@lists.php.net>; Wed, 05 Feb 2014 17:29:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=7lce8XUbpQbvx7th+G3S55dCr5xDEhHYiJLJbyzXkqQ=;
        b=kM8fCWqU5m8GlIIXT8wqSGJsJ7Z6ERuWXVYRtPB+9Jx46WniesEw/OVDROhEN8vA2g
         MUlrf7mcw4cupQ65lJ7sTZ2FwNBBm1yKiWrlZOnl1OFFrqSDV/ry+6NqsnKJXNwO9xar
         QxEn/Vf0o0BNrVTDyDIYNrSKVg7xzE/WBMqGNS0ZXHmEiGQSFKJyyAWjkUNDWDPaosQ9
         4MkFyqVNA04mPX3rd8fP7dyAesYJfD21hhtEqkkPUHFCpftuNsOBue1eanYigi6WltdJ
         xLop5igrFGQQiSLh4/TqTPsyp55Dbe5uhO0MEP1f6Q7bbtN7GjcOKv/ERdLvxwEt3ioI
         xG6Q==
X-Received: by 10.112.173.6 with SMTP id bg6mr3075403lbc.17.1391650172208;
 Wed, 05 Feb 2014 17:29:32 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Wed, 5 Feb 2014 17:28:38 -0800 (PST)
In-Reply-To: <AC16ADC6-801E-4D0D-9FD4-0BEE2D017E16@rouvenwessling.de>
References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de>
 <CAF+90c-32u=vVy4L4pB_OWGu2VmeUckxq8UW_AVJNC8iDtiWMQ@mail.gmail.com>
 <52F0139C.2060102@sugarcrm.com> <CAGa2bXZhT_8-BEjLuA4EPkZmxtpO1onz7AGTjCE-w85XC5pwdQ@mail.gmail.com>
 <CAGa2bXYab=2DeJu+ESWP_9Vte2FY37L2+kJFnuN4JwUj9Num1w@mail.gmail.com> <AC16ADC6-801E-4D0D-9FD4-0BEE2D017E16@rouvenwessling.de>
Date: Thu, 6 Feb 2014 10:28:38 +0900
X-Google-Sender-Auth: mOSb2A-EVreKALzLoI1igpWc6wY
Message-ID: <CAGa2bXa0i6LBykCNChcCXS+zgp+3KfMEi+H=umFAwL1mC0s__Q@mail.gmail.com>
To: =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Nikita Popov <nikita.ppv@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c239be2a8a1204f1b2ce30
Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c239be2a8a1204f1b2ce30
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Rouven,

On Thu, Feb 6, 2014 at 8:36 AM, Rouven We=C3=9Fling <me@rouvenwessling.de> =
wrote:

> > It could be optimized a little since 256 is too much for now.
> > How about make MAX returns max of 3 values?
> >
> > len =3D MAX(known_len, user_len, 64);
>
>
> What would this buy us? We still get branch on MAX and the memory access
> would still go the same memory if the string is shorter than 64 bytes.


I think we may ignore length leak and focus comparison.
len =3D MAX(known_len, 64) is for to make more difficult to guess short
secret(known_str) byte length, hopefully. Just trying to less obvious, but
it's not hiding.

Perhaps, something like this would be good enough.

+ /**
 +  * If known_string has a length of 0 we set the length to 1,
 +  * this will cause us to compare all bytes of userString with the null
byte which fails
 +  */
 + mod_len =3D MAX(known_len, 1);
len =3D MAX(user_len, 64); // Do not care much
len =3D MAX(known_len, len); // Do not care much

// These kind of operations have done somewhere anyway
// Just don't care.
k =3D (unsinged char *)emalloc(len+1)
u =3D (unsinged char *)emalloc(len+1);
memset(k, 0, len+1);
memset(u, 0, len+1);
strncpy(k, known_str, known_len);
strncpy(u, user_str, user_len);

 +
 + /* This is security sensitive code. Do not optimize this for speed. */
 + result =3D known_len - user_len;


+	for (j =3D 0; j < user_len; j++) {


+		result |=3D known_str[j % mod_len] ^ user_str[j];

for (; len > 0; len--) {

                                 result |=3D *k++ ^ *u++; // This must
be constant. Use simpler operation and keep constant operation here is
enough.

 + }

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c239be2a8a1204f1b2ce30--