hash_equals: leak less information about length

Hello internals,

I've submitted this PR a long time ago:
https://github.com/php/php-src/pull/792

I still think it's a good idea to mitigate the length leak (rather than
returning immediately if strings are not of the same length) while
advertising in docs that the length will leak in any case.

php.net doc has been fixed, but - for instance - this is not the case of
the Symfony doc:
http://symfony.com/doc/current/components/security/secure_tools.html (this
method internally use hash_equals, I've just submitted a PR to fix this doc
but I'm sure there is a lot of other misuses in the wild).

To summarize: a theoretical (especially for web apps, more annoying for CLI
apps) and advertised leak is better than a big undocumented leak. Can you
merge this PR?

2014-08-31 12:59 GMT+02:00 Kévin Dunglas dunglas@gmail.com:

Hi,

I've submitted a PR to make the hash_equals function leak less information
about compared strings' lengths (benchmark and use cases available in
comments): https://github.com/php/php-src/pull/792

Trying to hide length is needed to replace Symfony and Joomla PHP
implementations by hash_equals (when available).

The idea:

• clearly advert in the documentation that this function can potentially
  leak lengths
• Try to make it harder for an attacker by using a robuster implementation.

If there there is an agreement to use this kind of implementation, I'll
rework the PR to use some tricks from the CPython one (
https://github.com/python/cpython/blob/c7688b44387d116522ff53c0927169db45969f0e/Modules/_operator.c#L175

• use of volatile and no modulo).

Best regards,

Kévin Dunglas

http://dunglas.fr

--
Kévin Dunglas
Consultant et développeur freelance

http://dunglas.fr
Tél. : 06 60 91 20 20