code.
>
> Regards
> Leslie
> Mr. Leslie Satenstein
> Montréal Québec, Canada
>
>
>
> From: Riley Baird
> To: Leslie S Satenstein
> Cc: "debian-security@lists.debian.org"
> Sent: Sunday, November 2, 2014 12:09 AM
> Subject: Re: streql
From: Riley Baird
> To: debian-security@lists.debian.org; Leslie S Satenstein
> ; Joel Rees
> Sent: Saturday, November 1, 2014 4:43 AM
> Subject: Re: streql - Constant-time string comparison
>
> I think I see the confusion between us. You are concerned with a fast
> algorit
>> Would you be willing to sponsor the upstream streql,
>
> Not sure what you mean there.
I was asking if you would be able to upload the Debian package of streql
that I made into the Debian archive. When I wrote it, I thought you were
a DD, but upon checking it seems that you aren't. So, are the
On Sat, Nov 01, 2014 at 04:21:53PM +, Jack wrote:
> This mailing list is for security announcements. All Debian users are
> encouraged to subscribe, so that they know about the latest threats and
> updates.
Incorrect; you're thinking of debian-security-announce, which is
moderated and only use
On Sat, Nov 1, 2014 at 9:56 PM, Joel Rees wrote:
> [...]
> Probably, the best solution for a constant-time compare is to
> pre-zero-fill the buffers and do binary compares (memcmp()) on the
> entire buffers. That means that these routines are a bit superfluous
> anyway.
I was distracted when I wr
On Sun, Nov 2, 2014 at 1:21 AM, Jack wrote:
> On 01/11/2014 16:07, Joel Rees wrote:
>>
>> Riley is under the impression that Python strings are counted,
>> rather than NUL-terminated. Given the answers to
>>
>> http://stackoverflow.com/questions/237128/is-there-a-reason-python-strings-dont-have-a-
On 01/11/2014 16:07, Joel Rees wrote:
>
> Riley is under the impression that Python strings are counted,
> rather than NUL-terminated. Given the answers to
>
> http://stackoverflow.com/questions/237128/is-there-a-reason-python-strings-dont-have-a-string-length-method
>
> I'm pretty sure he's rig
On Sun, Nov 2, 2014 at 12:39 AM, Leslie S Satenstein
wrote:
> Please explain from where or how you get xlen and ylen.
>
> Do you make a complete pass through the string looking for a NULL character?
> If you do, then you are going to check your string once for the length, and
> once for the matchi
Leslie
Mr. Leslie Satenstein
Montréal Québec, Canada
From: Joel Rees
To: Riley Baird
Cc: "debian-security@lists.debian.org"
Sent: Saturday, November 1, 2014 8:56 AM
Subject: Re: streql - Constant-time string comparison
On Sat, Nov 1, 2014 at 4:49 PM, Riley Baird
w
On Sat, Nov 1, 2014 at 4:49 PM, Riley Baird
wrote:
> On 31/10/14 09:43, Joel Rees wrote:
>> [...]
> This is a good way of doing the string comparison. However, it would
> seem that upstream isn't really interested in hiding the length of the
> strings, and doing so would only provide minimal secur
off line.
> Regards
> Leslie
> Mr. Leslie Satenstein
> Montréal Québec, Canada
>
>
>
> From: Joel Rees
> To: "debian-security@lists.debian.org"
> Sent: Thursday, October 30, 2014 11:38 AM
> Subject: Re: streql - Co
> Regards
> Leslie
> Mr. Leslie Satenstein
> Montréal Québec, Canada
>
>
>
> From: Joel Rees
> To: "debian-security@lists.debian.org"
> Sent: Thursday, October 30, 2014 6:43 PM
> Subject: Re: streql - Constant-time string compariso
On 31/10/14 09:43, Joel Rees wrote:
> I gotta quit coding when I should be asleep.
>
> On Fri, Oct 31, 2014 at 12:38 AM, Joel Rees wrote:
>> Here's the result of my work to this point:
>>
>> ---
>> /* Near-constant run time string/memory compare, with test frame.
>> ** by
g"
Sent: Thursday, October 30, 2014 11:38 AM
Subject: Re: streql - Constant-time string comparison
Here's the result of my work to this point:
---
/* Near-constant run time string/memory compare, with test frame.
** by Joel Rees,
** derived from work b
gt; Regards
> Leslie
> Mr. Leslie Satenstein
> Montréal Québec, Canada
>
>
>
> From: Riley Baird
> To: Leslie S Satenstein
> Cc: "debian-security@lists.debian.org" ;
> 765...@bugs.debian.org
> Sent: Wednesday, October 29, 2014 4:16 PM
&
To: Leslie S Satenstein
> Cc: "debian-security@lists.debian.org" ;
> 765...@bugs.debian.org
> Sent: Wednesday, October 29, 2014 4:16 PM
> Subject: Re: streql - Constant-time string comparison
>
> On 30/10/14 01:34, Leslie S Satenstein wrote:
>> Hi Riley
I gotta quit coding when I should be asleep.
On Fri, Oct 31, 2014 at 12:38 AM, Joel Rees wrote:
> Here's the result of my work to this point:
>
> ---
> /* Near-constant run time string/memory compare, with test frame.
> ** by Joel Rees,
> ** derived from work by Peter Scot
Here's the result of my work to this point:
---
/* Near-constant run time string/memory compare, with test frame.
** by Joel Rees,
** derived from work by Peter Scott, Riley Baird, et. al., see
** https://lists.debian.org/debian-security/2014/10/msg00060.html
** https://git
2014/10/30 16:52 "Nicolas Rachinsky" :
>
> * Joel Rees [2014-10-30 08:38 +0900]:
> > -
> > // The core function: test two regions of memory for bytewise equality
> > with constant time.
> > // If cmplength is less than min( xlen, ylen ), comparison is
incomplete.
> > st
* Joel Rees [2014-10-30 08:38 +0900]:
> -
> // The core function: test two regions of memory for bytewise equality
> with constant time.
> // If cmplength is less than min( xlen, ylen ), comparison is incomplete.
> static int equals_internal_constime(
> const char *x, u
Running time could depends on guess length, because it is not secure
parameter.
Problem can appear in the produced machine code after compiler
optimisations.
// running time depends of length of guess
bool check_password(const char *guess, const char *actual) {
char result = 0;
const c
On Thu, Oct 30, 2014 at 4:58 AM, Riley Baird
wrote:
> On 29/10/14 19:55, Richard van den Berg wrote:
>> On 28-10-14 20:59 , Riley Baird wrote:
>>> As far as I can tell, your code ensures that even if the strings are of
>>> different length, an equality calculation should be performed anyway,
>>> h
On 30/10/14 01:34, Leslie S Satenstein wrote:
> Hi Riley
>
> Suppose the strings are 10k bytes each (10240), but they differ at byte zero,
> where is the break instruction to stop the compare?
Why would there need to be a break instruction? That would mean that the
time taken to compare strings
On 29/10/14 19:55, Richard van den Berg wrote:
> On 28-10-14 20:59 , Riley Baird wrote:
>> As far as I can tell, your code ensures that even if the strings are of
>> different length, an equality calculation should be performed anyway,
>> however returning 0, on the grounds that this would make it
On 28-10-14 20:59 , Riley Baird wrote:
> As far as I can tell, your code ensures that even if the strings are of
> different length, an equality calculation should be performed anyway,
> however returning 0, on the grounds that this would make it more
> difficult for an attacker to know that the tw
Upstream Author : Peter Scott
>>>> * URL :https://github.com/PeterScott/streql
>>>> * License : Apache 2.0
>>>> Section : python
>>>>
>>>> It builds those binary packages:
>>>>
>>>> pyt
equal length in equal time,
regardless
> >> of the content of the strings.
> >>
> >> * Package name: streql
> >> Version : 3.0.2-1
> >> Upstream Author : Peter Scott
> >> * URL :https://github.com/PeterScott/stre
.0.2-1
>> Upstream Author : Peter Scott
>> * URL : https://github.com/PeterScott/streql
>> * License : Apache 2.0
>> Section : python
>>
>> It builds those binary packages:
>>
>> python-streql - Constant-time string compar
ub.com/PeterScott/streql
> * License : Apache 2.0
> Section : python
>
> It builds those binary packages:
>
> python-streql - Constant-time string comparison (Python 2)
> python3-streql - Constant-time string comparison (Python 3)
> pypy-streql - Constant-time st
ub.com/PeterScott/streql
> * License : Apache 2.0
> Section : python
>
> It builds those binary packages:
>
> python-streql - Constant-time string comparison (Python 2)
> python3-streql - Constant-time string comparison (Python 3)
> pypy-streql - Constant-time st
-streql - Constant-time string comparison (Python 2)
python3-streql - Constant-time string comparison (Python 3)
pypy-streql - Constant-time string comparison (PyPy)
To access further information about this package, please visit the following
URL:
http://mentors.debian.net/package/streql
Alternatively
31 matches
Mail list logo
