Hi Rouven,
On Thu, Feb 6, 2014 at 8:36 AM, Rouven Weßling <[email protected]> wrote:
> > It could be optimized a little since 256 is too much for now.
> > How about make MAX returns max of 3 values?
> >
> > len = MAX(known_len, user_len, 64);
>
>
> What would this buy us? We still get branch on MAX and the memory access
> would still go the same memory if the string is shorter than 64 bytes.
I think we may ignore length leak and focus comparison.
len = MAX(known_len, 64) is for to make more difficult to guess short
secret(known_str) byte length, hopefully. Just trying to less obvious, but
it's not hiding.
Perhaps, something like this would be good enough.
+ /**
+ * If known_string has a length of 0 we set the length to 1,
+ * this will cause us to compare all bytes of userString with the null
byte which fails
+ */
+ mod_len = MAX(known_len, 1);
len = MAX(user_len, 64); // Do not care much
len = MAX(known_len, len); // Do not care much
// These kind of operations have done somewhere anyway
// Just don't care.
k = (unsinged char *)emalloc(len+1)
u = (unsinged char *)emalloc(len+1);
memset(k, 0, len+1);
memset(u, 0, len+1);
strncpy(k, known_str, known_len);
strncpy(u, user_str, user_len);
+
+ /* This is security sensitive code. Do not optimize this for speed. */
+ result = known_len - user_len;
+ for (j = 0; j < user_len; j++) {
+ result |= known_str[j % mod_len] ^ user_str[j];
for (; len > 0; len--) {
result |= *k++ ^ *u++; // This must
be constant. Use simpler operation and keep constant operation here is
enough.
+ }
Regards,
--
Yasuo Ohgaki
[email protected]