phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2025-03-12 20:34:54 +01:00

History

epriestley 4a53fc339e Don't use "phutil_hashes_are_identical()" to compare public keys Summary: Ref T13436. There's no real security value to doing this comparison, it just wards off evil "security researchers" who get upset if you ever compare two strings with a non-constant-time algorithm. In practice, SSH public keys are pretty long, pretty public, and have pretty similar lengths. This leads to a relatively large amount of work to do constant-time comparisons on them (we frequently can't abort early after identifying differing string length). Test Plan: Ran `bin/ssh-auth --sshd-key ...` on `secure` with ~1K keys, saw runtime drop by ~50% (~400ms to ~200ms) with `===`. Maniphest Tasks: T13436 Differential Revision: https://secure.phabricator.com/D20875		2019-10-28 18:34:30 -07:00
..
almanac
cache
celerity
daemon
diviner
drydock
fact
files
fpm
init
install
lipsum
mail
repository
search
setup
sql
ssh	Don't use "phutil_hashes_are_identical()" to compare public keys	2019-10-28 18:34:30 -07:00
symbols
util
__init_script__.php
manage_bulk.php