Hi,
On Mon, Dec 23, 2013 at 1:08 AM, Rouven Weßling <me@rouvenwessling.de>wrote:
> Hi internals,
>
> I'd like to propose this RFC to introduce a time-constant string
> comparison function: https://wiki.php.net/rfc/timing_attack
>
>
On the whole it looks okay.
The special branch for known_len == 0 && user_len != 0 can be avoided by
doing something like this:
mod_len = max(known_len, 1);
And then use j % mod_len instead of j % known_len to avoid a division
by zero; since x mod 1 always yields 0 you will always be comparing
against the null byte of the known string.
I will not open the voting before January 7 to account for holidays.
>
> Best regards
> Rouven
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
--
Tjerk