[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Imminent bugfix release (1.97.1)
From: |
Vladimir 'phcoder' Serbinenko |
Subject: |
Re: Imminent bugfix release (1.97.1) |
Date: |
Mon, 09 Nov 2009 19:15:48 +0100 |
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20090701) |
Robert Millan wrote:
> On Mon, Nov 09, 2009 at 06:46:16PM +0100, Duboucher Thomas wrote:
>
>> Ok, I typed this in a few minutes and I'm not confident either with
>> what I wrote; I would check that it works first. ;)
>> But the point here is that whatever the user gives as an input, it is
>> executed exactly n-th times, n being the length of the user input; and
>> that whatever the result of the 'if' statement is, the CPU realizes the
>> same amount of operations. By doing so, the attacker will only find out
>> how long it takes to make the comparison with a n caracters long input.
>>
>
> Actually, modern CPUs are very complex and the number of operations (or
> time taken by them) isn't easy to predict.
>
>
It's generally a good practice to do exactly same operations
independently of result just store the result in a separate variable
it's how RSA is correctly implemented
for (n = grub_strlen (s1); n >= 0; n--)
{
if (*s1 != *s2)
ret |= 1;
else
ret |= 0;
s1++; s2++;
}
It's pproximately how my first attempt worked and it had this bug. If
you can propose a good and tested code of this kind I would be ok with it
--
Regards
Vladimir 'phcoder' Serbinenko
signature.asc
Description: OpenPGP digital signature
- Re: Imminent bugfix release (1.97.1), (continued)
- Re: Imminent bugfix release (1.97.1), Robert Millan, 2009/11/08
- Re: Imminent bugfix release (1.97.1), Jordan Uggla, 2009/11/08
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Robert Millan, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Robert Millan, 2009/11/09
- Re: Imminent bugfix release (1.97.1),
Vladimir 'phcoder' Serbinenko <=
- Re: Imminent bugfix release (1.97.1), Robert Millan, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Bean, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Vladimir 'phcoder' Serbinenko, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Robert Millan, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Duboucher Thomas, 2009/11/09
- Re: Imminent bugfix release (1.97.1), Darron Black, 2009/11/09