Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73284 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23927 invoked from network); 19 Mar 2014 00:28:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Mar 2014 00:28:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.179 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.179 mail-lb0-f179.google.com Received: from [209.85.217.179] ([209.85.217.179:63438] helo=mail-lb0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 31/19-16983-9B4E8235 for ; Tue, 18 Mar 2014 19:28:42 -0500 Received: by mail-lb0-f179.google.com with SMTP id p9so5425305lbv.10 for ; Tue, 18 Mar 2014 17:28:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=oOFc9ViYbDHM7D8hgOTdnKOujnrmtQs/67dVG9GUFiQ=; b=EV2t1qQZmVvRS1sr4jbwMsDjrJXmZBAVDd1iYaimSW+oPPIji28C+W86E4/4cDXmPa zczerJgxX49sjVYKb8N5Rvc/9vtNXSIuwVaisAwTzjBB7HJZo+Dzc/o1gjIX2uTNkQD7 0SWwGWLwQgr3D15dEx0lkAULMxg4cWNKmQTEiCebLPCBU7Xryf87pW7TVGPgg2pAXmIo XTTH9GWE9QPmv+6roNWnjAzml5q6AVQ9y/zr1vqfzDeDbVTwbDrXbWhZIE5+uosWLKiM mbZSUwMxhBEkrTcq5XE4luA4pORjCOICwY7EYQjfGC29Cva4UixDpplsFpeeF+JEisFC O35w== X-Received: by 10.112.94.229 with SMTP id df5mr71022lbb.36.1395188918033; Tue, 18 Mar 2014 17:28:38 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Tue, 18 Mar 2014 17:27:57 -0700 (PDT) In-Reply-To: References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <4403BF54-041A-42F7-8B93-16EC3B2B0F43@rouvenwessling.de> Date: Wed, 19 Mar 2014 09:27:57 +0900 X-Google-Sender-Auth: nyY7IUJOSR0VIVyvvtC6jWyoJZk Message-ID: To: Ferenc Kovacs Cc: Adam Harvey , =?UTF-8?Q?Rouven_We=C3=9Fling?= , PHP internals Content-Type: multipart/alternative; boundary=001a1135f7acdaa21804f4eabb04 Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1135f7acdaa21804f4eabb04 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi all, On Wed, Mar 19, 2014 at 3:56 AM, Ferenc Kovacs wrote: > > > > From benchmark result, overhead for timing safe comparison is > negligible > > > > with byte by byte comparison. > > > > I would like to see timing safe "=3D=3D=3D" for 5.6, if it's possib= le. (=3D=3D > could > > > > be timing safe, too) > > > > > > > > Is anyone working on it? > > > > > > I don't know if someone else is, but I am not. > > > > I'm not in favour of this =E2=80=94 identity doesn't imply timing safet= y, and > > I think we should keep operators as performant as possible. > > > > Agree and afair it was explicitly stated as out of scope for this rfc. > (sorry for not merging this sooner, thanks Adam for thaking care of this)= . > Benchmark reveals performance issue is negligible. Regardless of where it is implemented, simple byte by byte compare is the best. We may ignore length leak at all. It's simpler (less risk) and faster. It's better to make =3D=3D=3D timing safe like Python, since it would be far less risks than dedicated API, but we may consider this later if the risk is getting greater. I need API to be exposed so that I can use it anywhere in PHP. Please make a PHPAPI. -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1135f7acdaa21804f4eabb04--