Re: [RFC] Timing attack safe string comparison function

From:	Andrea Faulds	Date:	Sun, 22 Dec 2013 17:25:48 +0000
Subject:	Re: [RFC] Timing attack safe string comparison function
References:	1	Groups:	php.internals
Request:	Send a blank email to internals+get-70835@lists.php.net to get a copy of this message

On 22/12/13 17:08, Rouven Weßling wrote:
Hi internals,

I'd like to propose this RFC to introduce a time-constant string comparison function: https://wiki.php.net/rfc/timing_attack

I will not open the voting before January 7 to account for holidays.

Best regards
Rouven


Hi Rouven, this looks like a great proposal!

I note your patch uses C++-style (// foobar) comments. However, according to the coding standards[0], only C-style (/* foobar */) comments should be used.

Unfortunately I can't comment otherwise on your patch as I'm not a security expert.

[0] https://github.com/php/php-src/blob/master/CODING_STANDARDS

-- 
Andrea Faulds
http://ajf.me/


   

Thread (40 messages)

• Rouven WeßlingSun, 22 Dec 2013 17:08:09 +0000
  • Andrea FauldsSun, 22 Dec 2013 17:25:48 +0000
    • Rouven WeßlingMon, 23 Dec 2013 09:45:29 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:01:26 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:03:43 +0000
        • Yasuo OhgakiMon, 23 Dec 2013 22:30:36 +0000
          • Jake A. SmithTue, 24 Dec 2013 03:59:57 +0000
            • Thomas HruskaTue, 24 Dec 2013 04:35:15 +0000
              • Yasuo OhgakiTue, 24 Dec 2013 06:37:56 +0000
                • Thomas HruskaTue, 24 Dec 2013 08:28:36 +0000
                • Sara GolemonFri, 27 Dec 2013 13:57:51 +0000
                  • Adam HarveyFri, 27 Dec 2013 18:12:23 +0000
                    • Yasuo OhgakiFri, 27 Dec 2013 21:57:00 +0000
                      • Jake A. SmithSat, 28 Dec 2013 00:02:53 +0000
                        • Yasuo OhgakiSat, 28 Dec 2013 00:39:06 +0000
                          • Andrea FauldsSat, 28 Dec 2013 01:41:10 +0000
                            • Sanford WhitemanSat, 28 Dec 2013 07:31:32 +0000
                            • Rouven WeßlingSun, 19 Jan 2014 22:40:22 +0000
                  • Stas MalyshevFri, 27 Dec 2013 19:44:21 +0000
            • Mateusz KocielskiFri, 27 Dec 2013 09:04:07 +0000
              • Pierre JoyeFri, 27 Dec 2013 09:07:38 +0000
                • Rouven WeßlingFri, 27 Dec 2013 13:55:39 +0000
                  • Sara GolemonFri, 27 Dec 2013 14:03:14 +0000
      • Tjerk MeestersMon, 23 Dec 2013 14:15:06 +0000
  • Yasuo OhgakiSun, 22 Dec 2013 23:55:02 +0000
  • Tjerk MeestersMon, 23 Dec 2013 01:26:05 +0000
  • Joe WatkinsMon, 23 Dec 2013 09:09:06 +0000Re: [RFC] Timing attack safe string comparison function
    • Yasuo OhgakiMon, 23 Dec 2013 09:45:50 +0000Re: Re: [RFC] Timing attack safe string comparison function
  • Stas MalyshevMon, 23 Dec 2013 10:11:39 +0000
    • Joe WatkinsMon, 23 Dec 2013 10:20:46 +0000
    • Rouven WeßlingMon, 23 Dec 2013 10:26:42 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:42:41 +0000
      • Joe WatkinsMon, 23 Dec 2013 10:50:01 +0000
        • Marco PivettaMon, 23 Dec 2013 11:04:10 +0000
          • Joe WatkinsMon, 23 Dec 2013 11:16:47 +0000
            • Joe WatkinsMon, 23 Dec 2013 11:19:25 +0000
            • Marco PivettaMon, 23 Dec 2013 11:25:35 +0000
          • Rouven WeßlingMon, 23 Dec 2013 16:46:14 +0000
            • Joe WatkinsMon, 23 Dec 2013 19:45:58 +0000
• Iwan LuijksFri, 27 Dec 2013 20:15:53 +0000RE: [PHP-DEV] [RFC] Timing attack safe string comparison function