On 23.12.2013, at 20:45, Joe Watkins <krakjoe@php.net> wrote:
> It might belong in ext/hash, not sure ...
Since the function has no dependencies I'd like it to be available without extensions. However
that's not a battle I'm willing to die for.
> It's not a great idea to have it with the password stuff, as I first suggested, but I do
> think the two should share code, there's no reason to have two internal implementations of
> this, can you not make the code from password into a ZEND_API function and share it with this
> wherever you put it ??
Yes, that should be possible. password_verify is able to do some assumptions on the length of
string, but that can just be removed.
On 27.12.2013, at 10:07, Pierre Joye <pierre.php@gmail.com> wrote:
>> "timingsafe_strcmp" or something in that
>> manner would be better. It simply describes what the function does.
>
> Can we not simply use an extra argument?
I'd be against adding a parameter to strcmp for this, as that would completely change the
function's semantic. Currently it returns an integer with different meaning for a negative,
positive or zero value. However the "hash_compare" function only returns a boolean.
Best regards
Rouven