Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 09:01:09 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: fweimer@...hat.com
Subject: Re: PHP and some == wonkiness

On Tue, May 05, 2015 at 08:24:42AM +0000, mancha wrote:
> On Tue, May 05, 2015 at 09:44:00AM +0200, Florian Weimer wrote:
> > On 05/05/2015 09:26 AM, mancha wrote:
> > 
> > > Taking sha1 as our reference hash and "==" as our equivalence
> > > relation:
> > > 
> > > All [a-f][0-9a-f]{39} are in equivalence class A.
> > > 
> > > All 42[a-f][0-9a-f]{37} are in equivalence class B.
> > > 
> > > Note: those regexes aren't representative of the full equivalence
> > > classes because prepending 0s doesn't alter the value (i.e.
> > > 0[a-f][0-9a-f]{38} is in equivalence class "A" as well..
> > 
> > I cannot reproduce this.  Or you use “equivalence class” in a
> > non-standard way.
> > 
> > -- Florian Weimer / Red Hat Product Security
> 
> I was using "equivalence class" in a standard way but mis-understood
> PHP's casting rules when comparing strings so never mind that comment.
> 
> To raise the SNR back up, I agree with your assessment if we account
> for prepended 0s. So out of the 16^40 total hashes, I believe
> 10^38+10^37+...+10^1 of them will evaluate to float(0). A bit higher
> than your estimate (which only considered 10^38 of them). Same order
> of magnitude though.
> 
> --mancha

That has a small off-by-one because 40 0s will be cast to float(0) when
compared to those.

Also, we have equivalence classes such as:

2e00000000000000000000000000000000000001
02e0000000000000000000000000000000000001
...
0000000000000000000000000000000000002e01
00000000000000000000000000000000000002e1
0000000000000000000000000000000000000020

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ