rfc:timing_attack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:timing_attack [2013/12/23 16:45]
realityking
rfc:timing_attack [2017/09/22 13:28] (current)
Line 1: Line 1:
  
 ====== Request for Comments: Timing attack safe string comparison function ====== ====== Request for Comments: Timing attack safe string comparison function ======
-  * Version: ​0.2+  * Version: ​1.0
   * Date: 2013-12-22   * Date: 2013-12-22
-  * Author: Rouven Weßling, me@rouvenwessling +  * Author: Rouven Weßling, me@rouvenwessling.de 
-  * Status: ​Under Discussion+  * Status: ​Implemented in 5.6 as hash_equals()
   * First Published at: http://​wiki.php.net/​rfc/​timing_attack   * First Published at: http://​wiki.php.net/​rfc/​timing_attack
  
Line 17: Line 17:
 ===== Proposal ===== ===== Proposal =====
  
-Implement a new function called hash_compare.+Implement a new function called hash_compare ​as part of ext/hash.
  
 Signature bool hash_compare(string knownString,​ string userString) Signature bool hash_compare(string knownString,​ string userString)
Line 36: Line 36:
  
 None. None.
- 
-===== Open Issues ===== 
- 
-  * Decide on a name for the function. 
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
  
 Patch including tests: https://​github.com/​realityking/​php-src/​compare/​timing_attack Patch including tests: https://​github.com/​realityking/​php-src/​compare/​timing_attack
 +
 +===== Vote =====
 +
 +<doodle title="​Timing attack safe string comparison function"​ auth="​realityking"​ voteType="​single"​ closed="​true">​
 +   * Yes
 +   * No
 +</​doodle>​
  
 ===== References ===== ===== References =====
Line 57: Line 60:
   * 0.1 Initial publication   * 0.1 Initial publication
   * 0.2 Renamed to hash_compare,​ added link to Zend Framework 2, removed information leak when knownString is empty (Thank you Tjerk)   * 0.2 Renamed to hash_compare,​ added link to Zend Framework 2, removed information leak when knownString is empty (Thank you Tjerk)
 +  * 1.0 Moved function to ext/hash. Started voting.
 +  * 1.1 Added section about differences between RFC and implementation ​
 +
 +===== Differences between this RFC and the implementation ====
 +  * The function is now called hash_equals
 +  * Both arguments passed to the function have to be strings, otherwise an E_WARNING is raised.
rfc/timing_attack.1387817130.txt.gz · Last modified: 2017/09/22 13:28 (external edit)