Skip to content

Introduction of timing attack safe bcmp implementation. #4729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Introduction of timing attack safe bcmp implementation. #4729

wants to merge 2 commits into from

Conversation

devnexen
Copy link
Member

Nothing new but to refactor usage b/w hash and password
extensions but using volatile pointers to be a bit safer,
allowing to expand its usage eventually.

staabm
staabm reviewed Sep 20, 2019
View reviewed changes
@devnexen devnexen force-pushed the safe_bcmp_intro branch 2 times, most recently from 49969b0 to b7106eb Compare September 25, 2019 13:01
@devnexen
Copy link
Member Author

devnexen commented Jun 6, 2020
edited
Loading

ping :) @nikic @staabm

@cmb69
Copy link
Member

cmb69 commented Dec 28, 2021

Would it make sense to add the length check (both strings must have same length) to php_safe_bcmp() (and accepting zend_strings instead of void*s)? Otherwise, I'd like to see a respective comment.

Anyway, could you please resolve the merge conflicts?

@devnexen
Copy link
Member Author

devnexen commented Dec 28, 2021
edited
Loading

Sure I can give it a try

@devnexen devnexen force-pushed the safe_bcmp_intro branch 2 times, most recently from 757af67 to 955eaee Compare December 28, 2021 17:05
@cmb69
Copy link
Member

cmb69 commented Dec 29, 2021

This looks reasonable to me (not sure about adding a new file for that). More review welcome!

@ramsey
Copy link
Member

ramsey commented May 31, 2022

What's the status of this PR? Still waiting for review? Can we get this into master for 8.2?

@ramsey ramsey added this to the PHP 8.2 milestone May 31, 2022
@devnexen
Copy link
Member Author

devnexen commented Jun 9, 2022

ping :-)

Girgias
Girgias approved these changes Jun 20, 2022
View reviewed changes
Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM other than the nits

main/php.h
@@ -179,6 +179,10 @@ END_EXTERN_C()
#define explicit_bzero php_explicit_bzero
#endif

BEGIN_EXTERN_C()
PHPAPI int php_safe_bcmp(const zend_string *a, const zend_string *b);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add a comment either here to indicate that -1 is if the strings do not have the same lengths, 0 if they match and 1 if they are not equal?

devnexen added 2 commits June 20, 2022 13:10
@devnexen
Introduction of timing attack safe bcmp implementation.
737d65f 
Nothing new but to refactor usage b/w hash and password
extensions but using volatile pointers to be a bit safer,
allowing to expand its usage eventually.
@devnexen
W32 build fix attempt
a76882b
@devnexen
Copy link
Member Author

Closed by bfe6f9e66

@devnexen devnexen closed this Jun 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@staabm staabm staabm left review comments

@Girgias Girgias Girgias approved these changes

Assignees
No one assigned
Labels
Extension: hash Extension: standard Feature Waiting on Review
Projects
None yet
Milestone
PHP 8.2
Development

Successfully merging this pull request may close these issues.
6 participants
@devnexen @cmb69 @ramsey @staabm @Girgias @krakjoe