Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73268
Return-Path: <me@rouvenwessling.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41185 invoked from network); 18 Mar 2014 11:23:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Mar 2014 11:23:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender)
X-PHP-List-Original-Sender: me@rouvenwessling.de
X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6
Received: from [5.35.242.46] ([5.35.242.46:41907] helo=lvps5-35-242-46.dedicated.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6C/63-23742-1BC28235 for <internals@lists.php.net>; Tue, 18 Mar 2014 06:23:30 -0500
Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001)
	id C23CF69F14F8; Tue, 18 Mar 2014 12:23:26 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lvps5-35-242-46.dedicated.hosteurope.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=ham version=3.3.1
Received: from [192.168.0.124] (ip-88-152-75-113.unitymediagroup.de [88.152.75.113])
	by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id 2CDB969F03BF;
	Tue, 18 Mar 2014 12:23:26 +0100 (CET)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
In-Reply-To: <CAGa2bXbPA_LPT85XpNj8G=ivYw+ynZf_LuuFLt7t2MDU1hXx2w@mail.gmail.com>
Date: Tue, 18 Mar 2014 12:23:25 +0100
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <4403BF54-041A-42F7-8B93-16EC3B2B0F43@rouvenwessling.de>
References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <CAGa2bXbPA_LPT85XpNj8G=ivYw+ynZf_LuuFLt7t2MDU1hXx2w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
X-Mailer: Apple Mail (2.1874)
Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function
From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=)


On 18.03.2014, at 02:04, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Mon, Feb 3, 2014 at 7:50 AM, Rouven We=DFling =
<me@rouvenwessling.de> wrote:
>=20
>> Hi internals,
>>=20
>> as I've received no further feedback I've opened the voting on =
"Timing
>> attack safe string comparison function":
>>=20
>> - https://wiki.php.net/rfc/timing_attack
>>=20
>=20
> Is there any progress?

The pull request (https://github.com/php/php-src/pull/608) for that RFC =
is waiting to be merged, I hope someone gets to it before beta1.

> =46rom benchmark result, overhead for timing safe comparison is =
negligible
> with byte by byte comparison.
> I would like to see timing safe "=3D=3D=3D" for 5.6, if it's possible. =
(=3D=3D could
> be timing safe, too)
>=20
> Is anyone working on it?

I don't know if someone else is, but I am not.

Best regards
Rouven=