Constant-Time bin2hex() implementation #909
Conversation
|
hmm... did you ever try to make after your fix? where is hex's definition? and since hexconvtab not used anymore, the definition of it should also be removed. thanks |
|
How does this look now? :) |
|
Can you provide information as to how this performs compared to the previous implementation? I'm not fully convinced that PHP has need for a constant time bin2hex implementation. |
Do PHP developers use http://tonyarcieri.com/cream-the-scary-ssl-attack-youve-probably-never-heard-of (Spoiler: Yes, we do use these features to encode cryptographic secrets. So I would argue that they are a good enhancement to include in PHP 7) |
|
I think this needs some discussion on internals. If we worry about such things just replacing random functions is not enough - you should be sure all functions that handle your secret are constant-time, including the engine primitives, etc. I'm not sure just having one function does anything. But maybe I'm missing something here. |
This is just a start. I'd love to discuss it with "internals", but my only exposure to PHP's core dev is through github. |
|
@sarciszewski you can drop a mail to internals at lists.php.net :) |
|
@sarciszewski It must be added to the function entry list: https://github.com/sarciszewski/php-src/blob/patch-1/ext/standard/basic_functions.c#L2664. |
|
Ah, thank you. |
…sions to lowercase
…atched pattern and avoid zend_hash_find() calls for other paterns.
…d only if the right operand is interafce itself.
This comment has been minimized.
This comment has been minimized.
|
typo inerface -> interface |
This comment has been minimized.
This comment has been minimized.
|
fixed. thanks.
…On Wed, Jan 14, 2015 at 6:23 PM, Nikita Popov ***@***.*** wrote:
typo inerface -> interface
—
Reply to this email directly or view it on GitHub
2325758#commitcomment-9280074
.
|
* PHP-5.6: Update NEWS Fixed bug #55618 (use case-insensitive cert name matching)
… , so it was already closed
* 'master' of https://git.php.net/push/php-src: Fixed #68868 (Segfault in clean_non_persistent_constants() in SugarCRM 6.5.20)
Conflicts: ext/phar/phar_object.c
* PHP-5.6: Fixed Bug #68941 mod_files.sh is a bash-script
Conflicts: UPGRADING
* pull-request/1016: Implement RFC: Introduce session_start() options
* PHP-5.6: Use bash rather than sh
|
Ugh, this got messy. Time to start over. |
This comment has been minimized.
This comment has been minimized.
|
seems this function is not exposed in session_functions? is that by intentional? |
This comment has been minimized.
This comment has been minimized.
|
Hey @sgolemon what's with these proto comments? They are getting pulled out by the various doc scripts used by IDEs and other tools and they aren't the right format |
This comment has been minimized.
This comment has been minimized.
|
Why do you use public function getAddress() AddressInterface {
return $this->address;
}instead of the code public function getAddress() : AddressInterface {
return $this->address;
} |
This comment has been minimized.
This comment has been minimized.
|
I didn't really care about a symbol but it made it compatible with Hack/HHVM. |
Contant time bin2hex() implementation, taken from jedisct1/libsodium@814df1e