Hi, On Sun, Apr 26, 2020 at 11:25:49AM +0200, Steffan Karger wrote: > >> well, sometimes to adhere to the codestyle, you have to re-arrange code :) > > > > "rearrange" and "rewrite in a not easy to understand way" (which looks > > a bit overthought to me, TBH - unlike "secure memzero" I cannot see an > > obvious reason why all that volatile would be relevant). > > This secure memcmp is relevant to avoid timing side channels in e.g. > authentication tag compare. Think about the HMAC in our tls-auth/crypt > and the HMAC of (non-AEAD) data channel packets.
I do understand why it has to be constant *time*, in regards to "do the
compared buffers differ or not".
I do not see how all this "volatile" and "copy from pointer to variables
to other stuff" handwaving is going to make any difference wrt constant
time comparison.
And it hurts my eyes.
[..]
> This kind of code is a tricky balance between "prevent the compiler from
> optimizing it to a not-constant-time implementation"
How could the compiler optimize *this* code? It has very explicit
instructions to build the xor of every single byte in the buffer and
or them all together, and return the result as an integer.
Unlike secure_memzero() whatever compiler optimization is chosen, it
still needs to do the actual math for *all bytes*. It can not optimize
out "if a string does not match early on, end comparisions more early".
(It could, if the result is already 0xff, but that optimization would
slow down the loop, so I would find very surprising)
> and "as much
> performance as we can get". Moving this responsibility to the crypto
> library seems like a good idea to me.
>
> And because our recommended data channel ciphers are AEAD ciphers for
> which the auth tag compare is handled internally by the crypto library,
> I don't care so much for the performance aspect. Want best security? Use
> AEAD! Want best performance? Use AEAD!
>
> You get the point. Use AEAD ;-)
Now that's definitely a strong argument against my "inline! performance!"
argument.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
