[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] memcmp() & co. timing info disclosures?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] memcmp() & co. timing info disclosures?
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Fri, 6 May 2011 21:47:38 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 May 2011 00:47:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id:in-reply-to :references:x-mailer:mime-version:content-type; bh=0fbBT82DQ6ICGSvmJ59nVEMaOzdOxieaDqrEv5V2CKs=; b=dpvCYixMTnl0j0J+4WAvUwGnQDwBOv9Dk2zkLaENPtroOsocbWEYFGEF6lAT8iDhIj QqmMEwHm1ZIaQPhemLMDzWzTvVMMNM1B7vdawxDsdc1XBDeX+TpP8R5I4BT0V4v9mRjE tQ2zNrcoNyAtyVTruiBBf1XBTWbM/WXpnH9n4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type; b=VbWpewNKqhXRY7FxdsGRu7JNXcIRJfAngvzb/VDKRNEV1+3HhhkuxyscpQuPgtoGy1 gOWCeDipMiH1gmzbk0POLbO427HBMYmRNoJCqreaXL/g3/H9G8G5xNKkDYaK4FYr9DsV lOjNwrYoG/y/ymcWok03Ym5WZAL011toGZn7w=
In-reply-to: <BANLkTimnudTJvEQmyUNMmUVfQiTq9o2aUA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <4DC480A2.4020600@xxxxxxxxxxxxxxxxxx> <BANLkTimbvHB5g7h2L0vL62JgRAnZhjZPUQ@xxxxxxxxxxxxxx> <4DC4B120.50406@xxxxxxxxxxxxxxxxxx> <BANLkTimnudTJvEQmyUNMmUVfQiTq9o2aUA@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On Fri, 6 May 2011 23:14:58 -0400
Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:

> Also, as I said on the bug, doing a memcmp in constant time is harder
> than doing eq/neq.  I *think* that all of the cases where we care
> about memcmp returning a tristate -1/0/1 result, we don't need
> data-independence... but in case we *do* need one, we'll have to do
> some malarkey like
> 
> int memcmp(const void *m1, const void *m2, size_t n)
> {
> /*XXX I don't know if this is even right; I haven't tested it at all */
>   const uint8_t *b1 = m1, *b2 = m2;
>   int retval = 0;
> 
>   while (n--) {
>     const uint8_t v1 = b1[n], v2 = b2[n];
>     int diff = (int)v1 - (int)v2;
>     retval = (v1 == v2) * retval + diff;
>   }
> 
>   return retval;
> }
> 
> which frankly makes me sad.  I bet there's a better way to go.

See attached.  This one is also untested (and I didn't even put the
â#include <stdint.h>â in the file), but it *should* work.

My technique for calculating equal_p came from my uint32-based
crypto_verify function in my previous message, which was in turn based
partly on DJB's crypto_verify functions and partly on a disassembly of
what GCC compiled DJB's functions to on a Fedora 12 AMD64 box.  But I
couldn't tell that the technique was correct, so this time I added
comments to it.

Robert Ransom

int tor_memcmp(const void *x_, const void *y_, size_t len) {
  const uint8_t *x = x_;
  const uint8_t *y = y_;
  size_t i = len;
  int retval = 0;

  /* The following assumes we are on a system with two's-complement
   * arithmetic. */
  while (i--) {
    int v1 = x_[i];
    int v2 = y_[i];
    int equal_p = v1 ^ v2;

    /* The following sets bits 8 and above of equal_p to equal_p == 0,
       and thus to v1 == v2. */
    --equal_p;

    equal_p >>= 8;
    /* Now equal_p is equal to -(v1 == v2), which is exactly
     * what we need below. */

    /* If v1 == v2, leave retval unchanged; otherwise, zero it. */
    retval &= equal_p;

    /* If we just zeroed retval, set it to v1 - v2; otherwise, leave
     * it unchanged. */
    retval += (v1 - v2);
  }

  return retval;
}

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] memcmp() & co. timing info disclosures?
  - From: Nick Mathewson

References:
- [tor-dev] memcmp() & co. timing info disclosures?
  - From: Marsh Ray
- Re: [tor-dev] memcmp() & co. timing info disclosures?
  - From: Nick Mathewson
- Re: [tor-dev] memcmp() & co. timing info disclosures?
  - From: Marsh Ray
- Re: [tor-dev] memcmp() & co. timing info disclosures?
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] memcmp() & co. timing info disclosures?
Next by Author: Re: [tor-dev] memcmp() & co. timing info disclosures?
Previous by thread: Re: [tor-dev] memcmp() & co. timing info disclosures?
Next by thread: Re: [tor-dev] memcmp() & co. timing info disclosures?
Index(es):
- Author
- Thread