Re: Grub-devel Digest, Vol 69, Issue 19

[address@hidden]

On Tue, Nov 10, 2009 at 4:06 AM, Pedro A ARANDA <address@hidden> wrote:
> Hi all,
>
> just my .00002 euto-cents:
>
> With this function, you always assume that strlen(s1) <= strlen(s2),
> right?
>
>> int
>> grub_auth_strcmp (const char *s1, const char *s2)
>> {
>> int n;
>> volatile int ret = 0;
>>
>> for (n = grub_strlen (s1); n >= 0; n--)
>> {
>> if (*s1 != *s2)
>> ret |= 1;
>> else
>> ret |= 0;
>>
>> s1++; s2++;
>> }
>>
>> return ret;
>> }
>
> because if not, you'd have to
>
> if (*s1 == 0 || *s2 == 0)
> break;
>
> in the loop and the return would be something like
>
> return *s1 == 0 && *s2 == 0 && ret == 1;
>
> And then you can continue simplifying to
>
> while (1) {
>   if (*s1 != *s2) break;
>   if (*s1 == 0) break;
>   if (*s2 == 0) break;
>   s1++; s2++;
> }
> return *s1 == 0 && *s2 == 0;
>
> Again, just my .00002 euro-cents or less

That's a good efficient strcmp, but the execution time leaks all kinds
of information about the secret.  Specifically, when there's a front
subset match, the function will run longer.  That allows a brute force
attacker to break the password in linear time with the password length
instead of exponential time.  auth_strcmp is specifically trying to
avoid any data-dependent branching.

>
> Cheers,/PA
>
> ________________________________
> Windows Live: Keep your friends up to date with what you do online.
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>
>