@jedisct1 there has been a discussion of this on oss-security. If memcmp were timing safe on OpenBSD, then porting would become unsafe.
OpenBSD’s memcmp() performs the comparison character by character? http://openbsd.cs.toronto.edu/cgi-bin/cvsweb/src/lib/libc/string/memcmp.c?rev=1.4&content-type=text/x-cvsweb-markup … I know there is timingsafe_bcmp(), but still.
-
-
-
@mik235 Other implementations at least start by comparing in chunks of 4 or 8 bytes. Faster and still more difficult to exploit. - 2 more replies
New conversation -
-
-
@jedisct1 there are asm versions of memcmp for i386/arm/vax that compare by word, see lib/libc/arch/*/string. Not on amd64 though.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.