[tor-dev] memcmp() & co. timing info disclosures?
Chris Palmer
chris at eff.org
Sat May 7 05:56:31 UTC 2011
On May 6, 2011, at 10:35 PM, Marsh Ray wrote:
> Of course, we could always just compute SHA-256 hashes of each side and then compare those, right? :-)
Yes, Brad Hill suggested that (in a Java/C# context). Nate Lawson didn't like it on performance grounds, but I don't recall hearing any correctness-related complaints.
http://www.isecpartners.com/blog/2011/2/18/double-hmac-verification.html
You could use the volatile sledgehammer, and then use a unit test to make sure that it remains working over time. And/or you could put it in its own file, and compile it with -O0, in case that helps.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code
More information about the tor-dev
mailing list