[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87y5et7rvi.fsf@mid.deneb.enyo.de>
Date: Tue, 12 Feb 2013 11:23:29 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: Daniel Borkmann <borkmann@...earbox.net>
Cc: gregkh@...uxfoundation.org, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] lib: memcmp_nta: add timing-attack secure memcmp
* Daniel Borkmann:
> On 02/11/2013 08:00 PM, Florian Weimer wrote:
>> * Daniel Borkmann:
>
> Thanks for your feedback, Florian!
>
>>> + * memcmp_nta - memcmp that is secure against timing attacks
>>
>> It's not providing an ordering, so it should not have "cmp" in the
>> name.
>
> I agree. What would you suggest? Probably, it would make sense to
> integrate this into the Linux crypto API and name it sth like ...
>
> crypto_mem_verify(const void *,const void *,__kernel_size_t)
>
> ... which returns:
>
> == 0 - mem regions equal each other
> != 0 - mem regions do not equal each other
crypto_mem_equal or crypto_mem_equals should be fine. Or anything
else which matches an existing function name with similar function.
>>> + for (su1 = cs, su2 = ct; 0 < count; ++su1, ++su2, count--)
>>> + res |= (*su1 ^ *su2);
>>
>> The compiler could still short-circuit this loop. Unlikely at
>> present, but this looks like a maintenance hazard.
>
> So then better we leave out '|' as a possible candidate and rewrite it as:
>
> + for (su1 = cs, su2 = ct; 0 < count; ++su1, ++su2, count--)
> + res += (*su1 ^ *su2);
That will cause false matches for long inputs.
If we had only four platforms to support, I would write this function
in assembler because it will be considerably easier to read.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists