[tor-dev] memcmp() & co. timing info disclosures?

Robert Ransom rransom.8774 at gmail.com
Sat May 7 04:47:38 UTC 2011

On Fri, 6 May 2011 23:14:58 -0400
Nick Mathewson <nickm at freehaven.net> wrote:

> Also, as I said on the bug, doing a memcmp in constant time is harder
> than doing eq/neq.  I *think* that all of the cases where we care
> about memcmp returning a tristate -1/0/1 result, we don't need
> data-independence... but in case we *do* need one, we'll have to do
> some malarkey like
> int memcmp(const void *m1, const void *m2, size_t n)
> {
> /*XXX I don't know if this is even right; I haven't tested it at all */
>   const uint8_t *b1 = m1, *b2 = m2;
>   int retval = 0;
>   while (n--) {
>     const uint8_t v1 = b1[n], v2 = b2[n];
>     int diff = (int)v1 - (int)v2;
>     retval = (v1 == v2) * retval + diff;
>   }
>   return retval;
> }
> which frankly makes me sad.  I bet there's a better way to go.

See attached.  This one is also untested (and I didn't even put the
“#include <stdint.h>” in the file), but it *should* work.

My technique for calculating equal_p came from my uint32-based
crypto_verify function in my previous message, which was in turn based
partly on DJB's crypto_verify functions and partly on a disassembly of
what GCC compiled DJB's functions to on a Fedora 12 AMD64 box.  But I
couldn't tell that the technique was correct, so this time I added
comments to it.

Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: safe_memcmp.c
Type: text/x-c++src
Size: 785 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110506/9fc6c023/attachment.cc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110506/9fc6c023/attachment.pgp>

More information about the tor-dev mailing list