On 14/03/2015 8:20 p.m., Niels Möller wrote:
I think there's only one sensitive use of memcmp within nettle, and that's the tag comparison in ccm_decrypt_message. I've now written a private function memeql_sec to do that comparison in a more side-channel silent fashion.
static int memeql_sec (const void *a, const void *b, size_t n) { volatile const unsigned char *ap = (const unsigned char *) a; volatile const unsigned char *bp = (const unsigned char *) b; volatile unsigned char d; size_t i; for (d = i = 0; i < n; i++) d |= (ap[i] ^ bp[i]); return d == 0; }
Is the compiler optimized code for that for loop faster or slower than a loop suming the differentials?
{ volatile const unsigned char *ap = (const unsigned char *) a + n; volatile const unsigned char *bp = (const unsigned char *) b + n; volatile unsigned char d; for (d = 0; ap >= a; ap--, bp--) d += (*ap - *bp); return d == 0; }
Or does the subtract and add still leak timing from CPU internal optimizations the bitmasking avoids?
NP: That would allow this function to take the uint8_t that most of nettle operates with.
(Sorry if thats a dumb Q, its been a long time since I worked on anything like this.)
AYJ