This is an automated email from the git hooks/post-receive script. gregoa pushed a commit to annotated tag v1.030099_001 in repository libnet-openid-common-perl.
commit 7973dd40126c3ac2620df1318ec450c7f24c5930 Author: Adam Sjøgren <a...@koldfront.dk> Date: Sat Jul 17 15:21:52 2010 +0200 Try handling possible Timing Attack problems See http://lists.openid.net/pipermail/openid-security/2010-July/001156.html and: $ perl -MBenchmark -e '$x="x" x 10000000; $y="y" . "x" x 9999999; Benchmark::timethese(100000000, { same=>sub { $x eq $x }, different=>sub { $x eq $y } });' Benchmark: timing 100000000 iterations of different, same... different: 9 wallclock secs ( 8.70 usr + 0.04 sys = 8.74 CPU) @ 11441647.60/s (n=100000000) same: 9 wallclock secs ( 9.88 usr + 0.08 sys = 9.96 CPU) @ 10040160.64/s (n=100000000) $ Benchmark of new OpenID::util::timing_indep_eq(): Benchmark: timing 10 iterations of different, same... different: 39 wallclock secs (38.23 usr + 0.43 sys = 38.66 CPU) @ 0.26/s (n=10) same: 38 wallclock secs (37.51 usr + 0.33 sys = 37.84 CPU) @ 0.26/s (n=10) --- lib/Net/OpenID/Common.pm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/lib/Net/OpenID/Common.pm b/lib/Net/OpenID/Common.pm index 690375c..548d969 100644 --- a/lib/Net/OpenID/Common.pm +++ b/lib/Net/OpenID/Common.pm @@ -206,5 +206,19 @@ sub arg2bi { return bytes2bi(MIME::Base64::decode_base64($_[0])); } +sub timing_indep_eq { + my ($x, $y)=@_; + + return '' if length($x)!=length($y); + + my $n=length($x); + + my $result=0; + for (my $i=0; $i<$n; $i++) { + $result |= ord(substr($x, $i, 1)) ^ ord(substr($y, $i, 1)); + } + + return !$result; +} 1; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-openid-common-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits