Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72424
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96070 invoked from network); 10 Feb 2014 01:38:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Feb 2014 01:38:43 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.172 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.172 mail-lb0-f172.google.com  
Received: from [209.85.217.172] ([209.85.217.172:37338] helo=mail-lb0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 15/C0-25595-2AD28F25 for <internals@lists.php.net>; Sun, 09 Feb 2014 20:38:43 -0500
Received: by mail-lb0-f172.google.com with SMTP id c11so4308204lbj.17
        for <internals@lists.php.net>; Sun, 09 Feb 2014 17:38:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=efQ9TW4LA87v+7T2G84hkGn1KNbPpXZLcLfqnk7EuJs=;
        b=eqVxbcF7ugs/+Offy8hxy2xRZFKBj3XuVMqSP+0Ce0SbXzm1e9JJcrzl8HB7ywZIOq
         IuAdtkTlFnyj91TLy5aPO1AZk8N7yMEoUNyKa6AthUsNVmt1W/XzS+52DskeptYxZmR/
         AJbyw/Jyuk/bs70qvhgkRxnQSWQPnn1bhQrqMzVwvRP/chdIOov0DyEGCjhpTm3qBaC2
         RDkpcQUaTaPA9U8i0NuMVueJT0uOgMMOC8JoAzypQhoZFvj/WGYqso3sFC5QayiROjP9
         xMQA98btYegK6lqpZyw2y0l0elD/9hdBU+8CaL1Gq4ytWLLkusJjRdooHerhdxf139yy
         R0Xg==
X-Received: by 10.152.203.193 with SMTP id ks1mr19822770lac.0.1391996319098;
 Sun, 09 Feb 2014 17:38:39 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Sun, 9 Feb 2014 17:37:58 -0800 (PST)
In-Reply-To: <CAGa2bXYriMBx_d38VwQCtUoCj_+DCNdBjMwRxAYOguiuvbH1Qw@mail.gmail.com>
References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de>
 <CAGa2bXYBbPw8RYZmwHPGe8BPFvicjNs1bD85QvRjMJ6i9aoPuQ@mail.gmail.com>
 <CAGa2bXa35rkmqNLvMw-9hkPJ6F2oPgpzkk4aMXe_9Vbfuoxc2g@mail.gmail.com>
 <CAGa2bXbuH7cDpr6_F==wse-s7doExxqB-BJzP1Vm_127aJ1O2A@mail.gmail.com> <CAGa2bXYriMBx_d38VwQCtUoCj_+DCNdBjMwRxAYOguiuvbH1Qw@mail.gmail.com>
Date: Mon, 10 Feb 2014 10:37:58 +0900
X-Google-Sender-Auth: Io02QTbBuPgy6yhEZMT4wGdf310
Message-ID: <CAGa2bXboc0d616kj8_ZMWJXA5JO0nZM4x2XwN7ZoaHd1gAVrRQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>, Dmitry Stogov <dmitry@zend.com>
Content-Type: multipart/alternative; boundary=001a113470d220ea3e04f203669b
Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113470d220ea3e04f203669b
Content-Type: text/plain; charset=UTF-8

Hi Dmitry,

On Mon, Feb 10, 2014 at 10:15 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> str_word_compare     Elapsed: 1.337508   Iterations: 1000000 DataSize: 128
> str_compare          Elapsed: 1.194582   Iterations: 1000000 DataSize: 128
>
> str_word_compare() is the winner for relatively large data.
>

It seems the difference is marginal. It may be better to make ==/=== string
comparison timing safe by default if php_word_compare() implementation
does not have timing issue.

Patch for php_word_compare() is
https://github.com/yohgaki/php-src/commit/302a53db87c93b469fb85041e8c505207e3a6d9c

What do you think?

Regards,

P.S.
xxhash32 is surprisingly fast, but it has limited hash space. Therefore,
it's not a good idea to use it for string comparison. IIRC or if it did not
changed, Zend uses old DJB hash. It may be good idea to use xxhash
for PHP array.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113470d220ea3e04f203669b--