Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72328 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42238 invoked from network); 6 Feb 2014 07:09:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2014 07:09:10 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:42930] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 07/36-09398-51533F25 for ; Thu, 06 Feb 2014 02:09:09 -0500 Received: by mail-qc0-f170.google.com with SMTP id e9so2497042qcy.15 for ; Wed, 05 Feb 2014 23:09:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7wrH96+ixDSgXUItLB8jtilVXLAtw8t9A4pG/vGmJMI=; b=asNFu+DCqaOg19RX3b+H4IumE6PAYUEIuNr/fi83Su+YvxqLNG+dqVU7sKzBCXisT/ Y449au2YajEtUhhS3NihwQVMQLiW8S4jlRpWZWh7yoBI1xE5lfOJt4he1c3PU82yU/Hp GVu41g0KJFTj5yCSaQlmxS/6E52lSID/hBiRSlHd0kYLmfQ+EwbZE8rTQFxmw8PrIjM0 iKFkqvgSE3TxAnNCdb9qcSnry1hHZ+14nL6wwMh1QAzz53LB50CXDQRs4r65LLjgNwCp tIjR6vQdsTjfCNGD+7OH4t5ppXf+t388v/glf90wM7fLZ066NwP8FZ7k953ZL+K5QpK7 i4EA== MIME-Version: 1.0 X-Received: by 10.140.48.172 with SMTP id o41mr9399652qga.16.1391670546631; Wed, 05 Feb 2014 23:09:06 -0800 (PST) Received: by 10.140.18.129 with HTTP; Wed, 5 Feb 2014 23:09:06 -0800 (PST) In-Reply-To: <52F33350.1060800@sugarcrm.com> References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <52F0139C.2060102@sugarcrm.com> <52F30E3B.1090302@oracle.com> <52F33350.1060800@sugarcrm.com> Date: Thu, 6 Feb 2014 08:09:06 +0100 Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: pierre.php@gmail.com (Pierre Joye) On Thu, Feb 6, 2014 at 8:01 AM, Stas Malyshev wrote: > Hi! > >> We do not have to over react here, it is, for a change, that there is >> clear consensus about the need or wish for this feature. It is not a >> trivial thing to implement but we have time to make it rock solid >> until final 5.6.0. > > There's a consensus about the feature as it was proposed, For what I see there is one: https://wiki.php.net/rfc/timing_attack > but when all > kind of things start to be added to it, that eventually becomes a > different feature from one that was voted on. What I mean is that the need of a function to do hash equality tests with time attacks protection got a positive consensus. The implementation details are indeed subject to change and will certainly get updates until 5.6.0 final, and surely afterwards as well. > If the proposal is not > ready, then the vote should be delayed. If it's ready then the constant > stream of changes, tweaks and additions looks strange - it's really hard > to know what the vote is actually about. There are a couple of caveats that need to be solved. Not sure it needs a new vote but that should not be a problem to redo it. My point is that such feature seems to be desired for 5.6 and we should try to make sure it gets in, as long as it is possible. Cheers, -- Pierre @pierrejoye | http://www.libgd.org