There are lots of authentication functions which end by comparing two
digests. The recent ccm_decrypt_message is typical, ending with
return (memcmp(tag, src + mlength, tlength) == 0);
This can leak information (via cache or timing) on the position of the
first difference, which might cause problems in some situations. Would
it be a good idea to add a side-channel silent memory comparison
function? The hardest question is, as often, how it should be named. But
it should be pretty easy to implement, I think
int
mem_equal (const void *ap, const void *bp, size_t n)
{
volatile const unsigned char *a = ap;
volatile const unsigned char *b = bp
volatile unsigned char d;
size_t i;
for (i = d = 0; i < n; i++)
d |= a[i] ^ b[i];
return d == 0;
}
should do (even if maybe volatile const is an unusual combination of
qualifiers). Is this a good name?
The nacl library (by djb et al) includes similar functions, see
http://nacl.cr.yp.to/verify.html.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
[email protected]
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
