rfc:timing_attack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
rfc:timing_attack [2013/12/23 16:45] realitykingrfc:timing_attack [2014/04/13 21:32] realityking
Line 1: Line 1:
  
 ====== Request for Comments: Timing attack safe string comparison function ====== ====== Request for Comments: Timing attack safe string comparison function ======
-  * Version: 0.2+  * Version: 1.0
   * Date: 2013-12-22   * Date: 2013-12-22
-  * Author: Rouven Weßling, me@rouvenwessling +  * Author: Rouven Weßling, me@rouvenwessling.de 
-  * Status: Under Discussion+  * Status: Accepted (implemented in 5.6 as hash_equals())
   * First Published at: http://wiki.php.net/rfc/timing_attack   * First Published at: http://wiki.php.net/rfc/timing_attack
  
Line 17: Line 17:
 ===== Proposal ===== ===== Proposal =====
  
-Implement a new function called hash_compare.+Implement a new function called hash_compare as part of ext/hash.
  
 Signature bool hash_compare(string knownString, string userString) Signature bool hash_compare(string knownString, string userString)
Line 36: Line 36:
  
 None. None.
- 
-===== Open Issues ===== 
- 
-  * Decide on a name for the function. 
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
  
 Patch including tests: https://github.com/realityking/php-src/compare/timing_attack Patch including tests: https://github.com/realityking/php-src/compare/timing_attack
 +
 +===== Vote =====
 +
 +<doodle title="Timing attack safe string comparison function" auth="realityking" voteType="single" closed="true">
 +   * Yes
 +   * No
 +</doodle>
  
 ===== References ===== ===== References =====
Line 57: Line 60:
   * 0.1 Initial publication   * 0.1 Initial publication
   * 0.2 Renamed to hash_compare, added link to Zend Framework 2, removed information leak when knownString is empty (Thank you Tjerk)   * 0.2 Renamed to hash_compare, added link to Zend Framework 2, removed information leak when knownString is empty (Thank you Tjerk)
 +  * 1.0 Moved function to ext/hash. Started voting.
rfc/timing_attack.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1