Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 08:24:42 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: fweimer@...hat.com
Subject: Re: PHP and some == wonkiness

On Tue, May 05, 2015 at 09:44:00AM +0200, Florian Weimer wrote:
> On 05/05/2015 09:26 AM, mancha wrote:
> 
> > Taking sha1 as our reference hash and "==" as our equivalence relation:
> > 
> > All [a-f][0-9a-f]{39} are in equivalence class A.
> > 
> > All 42[a-f][0-9a-f]{37} are in equivalence class B.
> > 
> > Note: those regexes aren't representative of the full equivalence
> > classes because prepending 0s doesn't alter the value (i.e.
> > 0[a-f][0-9a-f]{38} is in equivalence class "A" as well..
> 
> I cannot reproduce this.  Or you use “equivalence class” in a
> non-standard way.
> 
> -- Florian Weimer / Red Hat Product Security

I was using "equivalence class" in a standard way but mis-understood
PHP's casting rules when comparing strings so never mind that comment.

To raise the SNR back up, I agree with your assessment if we account for
prepended 0s. So out of the 16^40 total hashes, I believe
10^38+10^37+...+10^1 of them will evaluate to float(0). A bit higher
than your estimate (which only considered 10^38 of them). Same order of
magnitude though.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ