Constant-Time bin2hex() implementation #909
Conversation
hmm... did you ever try to make after your fix?
where is hex's definition? and since hexconvtab not used anymore, the definition of it should also be removed. thanks |
How does this look now? :) |
Can you provide information as to how this performs compared to the previous implementation? I'm not fully convinced that PHP has need for a constant time bin2hex implementation. |
Do PHP developers use http://tonyarcieri.com/cream-the-scary-ssl-attack-youve-probably-never-heard-of (Spoiler: Yes, we do use these features to encode cryptographic secrets. So I would argue that they are a good enhancement to include in PHP 7) |
I think this needs some discussion on internals. If we worry about such things just replacing random functions is not enough - you should be sure all functions that handle your secret are constant-time, including the engine primitives, etc. I'm not sure just having one function does anything. But maybe I'm missing something here. |
This is just a start. I'd love to discuss it with "internals", but my only exposure to PHP's core dev is through github. |
@sarciszewski you can drop a mail to internals at lists.php.net :) |
@sarciszewski It must be added to the function entry list: https://github.com/sarciszewski/php-src/blob/patch-1/ext/standard/basic_functions.c#L2664. |
Ah, thank you. |
…sions to lowercase
…atched pattern and avoid zend_hash_find() calls for other paterns.
…d only if the right operand is interafce itself.
This comment has been minimized.
This comment has been minimized.
typo inerface -> interface |
This comment has been minimized.
This comment has been minimized.
fixed. thanks.
…On Wed, Jan 14, 2015 at 6:23 PM, Nikita Popov ***@***.*** wrote:
typo inerface -> interface
—
Reply to this email directly or view it on GitHub
2325758#commitcomment-9280074
.
|
* PHP-5.6: Update NEWS Fixed bug #55618 (use case-insensitive cert name matching)
… , so it was already closed
* 'master' of https://git.php.net/push/php-src: Fixed #68868 (Segfault in clean_non_persistent_constants() in SugarCRM 6.5.20)
Conflicts: ext/phar/phar_object.c
* PHP-5.6: Fixed Bug #68941 mod_files.sh is a bash-script
Conflicts: UPGRADING
* pull-request/1016: Implement RFC: Introduce session_start() options
* PHP-5.6: Use bash rather than sh
Ugh, this got messy. Time to start over. |
This comment has been minimized.
This comment has been minimized.
seems this function is not exposed in session_functions? is that by intentional? |
This comment has been minimized.
This comment has been minimized.
Hey @sgolemon what's with these proto comments? They are getting pulled out by the various doc scripts used by IDEs and other tools and they aren't the right format |
This comment has been minimized.
This comment has been minimized.
Why do you use public function getAddress() AddressInterface {
return $this->address;
} instead of the code public function getAddress() : AddressInterface {
return $this->address;
} |
This comment has been minimized.
This comment has been minimized.
I didn't really care about a symbol but it made it compatible with Hack/HHVM. |
Contant time bin2hex() implementation, taken from jedisct1/libsodium@814df1e