On Fri, May 6, 2011 at 7:13 PM, Marsh Ray marsh@extendedsubset.com wrote:
Greetings all,
Hi, Marsh!
I replied on https://trac.torproject.org/projects/tor/ticket/3122#comment:4 . The particular case that you mention is (I think) safe (see discussion there), but the problem in general is worrisome and we should indeed replace (nearly) all of our memcmps with data-independent variants.
(Pedantic nit-pick: we should be saying "data-independent," not "constant-time." We want a memcmp(a,b,c) that takes the same number of cycles for a given value of c no matter what a and b are. That's data-independence. A constant-time version would be one that took the same number of cycles no matter what c is.)