Hi, I've submitted a PR to make the hash_equals function leak less information about compared strings' lengths (benchmark and use cases available in comments): https://github.com/php/php-src/pull/792
Trying to hide length is needed to replace Symfony and Joomla PHP implementations by hash_equals (when available). The idea: - clearly advert in the documentation that this function can potentially leak lengths - Try to make it harder for an attacker by using a robuster implementation. If there there is an agreement to use this kind of implementation, I'll rework the PR to use some tricks from the CPython one ( https://github.com/python/cpython/blob/c7688b44387d116522ff53c0927169db45969f0e/Modules/_operator.c#L175 - use of volatile and no modulo). Best regards, -- Kévin Dunglas http://dunglas.fr
