Simon Josefsson via Gnulib discussion list <[email protected]> writes:
> Paul Eggert <[email protected]> writes: > >> I named the new module "stringeq"; it implements both streq and memeq >> in <string.h>. > > Looks great! > >> [2]: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3617.txt > > Principles > - Enable secure programming > > I worry a bit about security implications here -- I understand your > intention here, but for crypto code memory/string equality checks have > security implications if implemented in non-constant time. > > https://security.stackexchange.com/questions/160808/why-should-memcmp-not-be-used-to-compare-security-critical-data > > Could the description clarify that memeq and streq functions are NOT > intended to be constant-time depending on the input strings? Which I > presume is the property you desire here, since this seems more about > functionality and then performance is important. > > I wouldn't want anyone reading "secure programming" as meaning > constant-time operation. > > This opens up for adding proper secure_memeq() API which DO guarantee > constant-time though. What do you think about doing that? > > NetBSD has consttime_memequal() for this, but I've not seen it generally > implemented. I'm not sure a naive secure_memeq() will actually be > sufficient, maybe you want it to not even leak the length of the strings > passed to the function. That is impossible generally, but for short > strings you can do better. Maybe it should guarantee leaking nothing > about string lengths for inputs < 255 bytes? I didn't look into the > NetBSD implementation if it cares about this. I would rather not standardize a new function name for constant time comparisons. We already have consttime_memequal from NetBSD, as you mention, and timingsafe_bcmp/timingsafe_memcmp from OpenBSD, which preceded the NetBSD function, IIRC. If the interface were to be standardized, it would be best just to use timingsafe_memcmp which seems to have gotten the most traction based off of Debian code search [1] and what I have seen in projects. Collin [1] https://codesearch.debian.net/
