On Fri, Jan 27, 2006, Richard Salz wrote: > > I'd consider an implementation of memcmp that doesn't early stop as soon > > > as it sees a difference as completely broken, performance wise. Memcmp > > returns an ordered comparison but that can be done as soon as the first > > bit difference is seen. > > Me too. But look at the ASN1 for a certificate. Given two certs, how far > down the chain are you first likely to see a difference? Use that as your > DER offset. That's why I suggested starting at the *end*. I should have > left out the part about starting at the beginning. >
The first four octets will most likely be 0x30, 0x82, len_high, len_low so yes that wont tell you much. Starting from the end will access the signature which for valid (not maliciously constructed) certificates is likely to differ pretty quickly. For a valid match you still need to compare the whole thing of course. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
