Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73274 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 62482 invoked from network); 18 Mar 2014 16:13:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Mar 2014 16:13:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.223.177 as permitted sender) X-PHP-List-Original-Sender: adam@adamharvey.name X-Host-Fingerprint: 209.85.223.177 mail-ie0-f177.google.com Received: from [209.85.223.177] ([209.85.223.177:49226] helo=mail-ie0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 29/02-52406-4C078235 for ; Tue, 18 Mar 2014 11:13:57 -0500 Received: by mail-ie0-f177.google.com with SMTP id rl12so7358425iec.22 for ; Tue, 18 Mar 2014 09:13:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adamharvey.name; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=HHrjGaENYKbQyI607fvbAT82aI4ewP2RLPE7zQaVIt4=; b=prPY21VnBgXF4F3tQ/5JEA4cBY9b6eN6ueqQoQoZtLWe2GlO7vTczDMVRc2pnHMGYG oxotzcUjM+e6azXHyl8OWs8Q8duvisGcRnJf9WoHoGU6MtMwelVe15OfUscSm20gZF+Y AwqZiLv4Vzl2mbLnXa6Y8NEOwMXnKoE51kePs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=HHrjGaENYKbQyI607fvbAT82aI4ewP2RLPE7zQaVIt4=; b=CIWM5aPhMEwK6nAE5qB6O1Lak2BJM8GgvimPI1P5xuOm24zH7AMMI6c70MGomyuh+E bqbV253c/KrhWZg4bsuE+LfZRh7Vu4lZ5bAgfO5rQ6oDcF7+wzYuLUwgM5AkwFVfUSKA a3jXXKHjYZv+J4F7f8MYJVJwOGOGXypXGH2Msz/5y6Q6B00xG/S7cNEf5SHdcNalwelq DZ8TpWJrfZV6/IjFI8WcifNYXH3AKrdI2pwHpccCFDmSxpD/yMbw80hpHuKJFiPVm0Tc YvadrOi6JQt8TeRYBnNlUDbOx9HFh0mFaaSqbawQCKBqAhZuRueEbq1Hmtc5ah83Jsnn g9iw== X-Gm-Message-State: ALoCoQmFNGuRnsRmf/iVuYFgiRlTfqbbcMPrA3BHUf0HW36mRxEYi8uWAQpCgpgxqj8w3m/a3nAM X-Received: by 10.43.58.19 with SMTP id wi19mr7544572icb.53.1395159233475; Tue, 18 Mar 2014 09:13:53 -0700 (PDT) MIME-Version: 1.0 Sender: adam@adamharvey.name Received: by 10.42.206.208 with HTTP; Tue, 18 Mar 2014 09:13:33 -0700 (PDT) In-Reply-To: <4403BF54-041A-42F7-8B93-16EC3B2B0F43@rouvenwessling.de> References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <4403BF54-041A-42F7-8B93-16EC3B2B0F43@rouvenwessling.de> Date: Tue, 18 Mar 2014 09:13:33 -0700 X-Google-Sender-Auth: L2KTuKyb4BkqLNEXlyUQWncH2wY Message-ID: To: =?UTF-8?Q?Rouven_We=C3=9Fling?= Cc: Yasuo Ohgaki , PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: aharvey@php.net (Adam Harvey) On 18 March 2014 04:23, Rouven We=C3=9Fling wrote: > > On 18.03.2014, at 02:04, Yasuo Ohgaki wrote: > > > On Mon, Feb 3, 2014 at 7:50 AM, Rouven We=C3=9Fling wrote: > >> > >> as I've received no further feedback I've opened the voting on "Timing > >> attack safe string comparison function": > >> > >> - https://wiki.php.net/rfc/timing_attack > > > > Is there any progress? > > The pull request (https://github.com/php/php-src/pull/608) for that RFC i= s waiting to be merged, I hope someone gets to it before beta1. I'll look at merging it today. > > From benchmark result, overhead for timing safe comparison is negligibl= e > > with byte by byte comparison. > > I would like to see timing safe "=3D=3D=3D" for 5.6, if it's possible. = (=3D=3D could > > be timing safe, too) > > > > Is anyone working on it? > > I don't know if someone else is, but I am not. I'm not in favour of this =E2=80=94 identity doesn't imply timing safety, a= nd I think we should keep operators as performant as possible. Adam