Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72771 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81028 invoked from network); 23 Feb 2014 18:31:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Feb 2014 18:31:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender) X-PHP-List-Original-Sender: me@rouvenwessling.de X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6 Received: from [5.35.242.46] ([5.35.242.46:50130] helo=lvps5-35-242-46.dedicated.hosteurope.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4C/03-57053-E8E3A035 for ; Sun, 23 Feb 2014 13:31:43 -0500 Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001) id 5755E69F14B4; Sun, 23 Feb 2014 19:31:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lvps5-35-242-46.dedicated.hosteurope.de X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 Received: from rouvens-air-7.localdomain (xdsl-89-0-211-207.netcologne.de [89.0.211.207]) by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id D1F9B69F04F6; Sun, 23 Feb 2014 19:31:38 +0100 (CET) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) In-Reply-To: <3EAEC401-F0FF-42E6-8B93-41D2E8658A80@rouvenwessling.de> Date: Sun, 23 Feb 2014 19:31:38 +0100 Cc: Solar Designer Content-Transfer-Encoding: quoted-printable Message-ID: <47C11B57-84E9-4805-9952-1E78A9F112C5@rouvenwessling.de> References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <3EAEC401-F0FF-42E6-8B93-41D2E8658A80@rouvenwessling.de> To: PHP internals X-Mailer: Apple Mail (2.1822) Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=) Hello together, I've updated the patch, taking the following feedback into account: -Renamed function to hash_equals -Error out early in case string lengths are not equal (I've maintained = the name known_string and user_string too allow improving this in the = future, also makes for a nicer error message) -Only allow strings to be compared The patch can be found here: = https://github.com/realityking/php-src/compare/hash_equals If anyone thinks, that this needs a new RFC please say so. Best regards Rouven =20 On 23.02.2014, at 16:11, Rouven We=DFling wrote: > I'm incredibly sorry I haven't been able to get back to this earlier. >=20 > The RFC was accepted 22 to 1. As there was an abundance of feedback = during the voting period and beyond I'll update the implementation = accordingly. After that I'll discuss whether this goes into 5.6 or 5.7 = with the RMs. >=20 > Best regards > Rouven >=20 > On 02.02.2014, at 23:50, Rouven We=DFling = wrote: >=20 >> Hi internals, >>=20 >> as I've received no further feedback I've opened the voting on = "Timing attack safe string comparison function": >>=20 >> - https://wiki.php.net/rfc/timing_attack >>=20 >> Voting ends on 2014/02/09 11:00PM UTC >>=20 >> Best regards >> Rouven >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >>=20 >=20 >=20 > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20