This is an automated email from the git hooks/post-receive script.
gregoa pushed a commit to annotated tag v1.030099_001
in repository libnet-openid-common-perl.
commit 7973dd40126c3ac2620df1318ec450c7f24c5930
Author: Adam Sjøgren <a...@koldfront.dk>
Date: Sat Jul 17 15:21:52 2010 +0200
Try handling possible Timing Attack problems
See http://lists.openid.net/pipermail/openid-security/2010-July/001156.html
and:
$ perl -MBenchmark -e '$x="x" x 10000000; $y="y" . "x" x 9999999;
Benchmark::timethese(100000000, { same=>sub { $x eq $x }, different=>sub { $x
eq $y } });'
Benchmark: timing 100000000 iterations of different, same...
different: 9 wallclock secs ( 8.70 usr + 0.04 sys = 8.74 CPU) @
11441647.60/s (n=100000000)
same: 9 wallclock secs ( 9.88 usr + 0.08 sys = 9.96 CPU) @
10040160.64/s (n=100000000)
$
Benchmark of new OpenID::util::timing_indep_eq():
Benchmark: timing 10 iterations of different, same...
different: 39 wallclock secs (38.23 usr + 0.43 sys = 38.66 CPU) @ 0.26/s
(n=10)
same: 38 wallclock secs (37.51 usr + 0.33 sys = 37.84 CPU) @ 0.26/s
(n=10)
---
lib/Net/OpenID/Common.pm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/Net/OpenID/Common.pm b/lib/Net/OpenID/Common.pm
index 690375c..548d969 100644
--- a/lib/Net/OpenID/Common.pm
+++ b/lib/Net/OpenID/Common.pm
@@ -206,5 +206,19 @@ sub arg2bi {
return bytes2bi(MIME::Base64::decode_base64($_[0]));
}
+sub timing_indep_eq {
+ my ($x, $y)=@_;
+
+ return '' if length($x)!=length($y);
+
+ my $n=length($x);
+
+ my $result=0;
+ for (my $i=0; $i<$n; $i++) {
+ $result |= ord(substr($x, $i, 1)) ^ ord(substr($y, $i, 1));
+ }
+
+ return !$result;
+}
1;
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libnet-openid-common-perl.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
