[tor-dev] memcmp() & co. timing info disclosures?

Chris Palmer chris at eff.org
Sat May 7 05:56:31 UTC 2011


On May 6, 2011, at 10:35 PM, Marsh Ray wrote:

> Of course, we could always just compute SHA-256 hashes of each side and then compare those, right? :-)

Yes, Brad Hill suggested that (in a Java/C# context). Nate Lawson didn't like it on performance grounds, but I don't recall hearing any correctness-related complaints.

http://www.isecpartners.com/blog/2011/2/18/double-hmac-verification.html

You could use the volatile sledgehammer, and then use a unit test to make sure that it remains working over time. And/or you could put it in its own file, and compile it with -O0, in case that helps.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code



More information about the tor-dev mailing list