git.codecow.com Git - Monocypher.git/commit

author	Loup Vaillant <loup@loup-vaillant.fr>
	Fri, 13 Oct 2017 20:37:34 +0000 (22:37 +0200)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Fri, 13 Oct 2017 20:37:34 +0000 (22:37 +0200)
commit	f74ae86d53e541d38ca46afe050f2e17d1f774f1
tree	2bc97503417936930f12ff1d1e78a22c1c64a309	tree \| snapshot
parent	9f125cb76f06432e3fc4637dbf799c2a72ed6a75	commit \| diff

Removed crypto_memcmp and crypto_zerocmp

Fixes #38

This breaks compatibility.  Users need to switch to the crypto_verify
functions.  Sorry.

I do not break compatibility lightly.

Under the heaviest optimisation options (-O3), the old comparison
functions generated a huge amount of code, with quite a few
conditional branches.  It wasn't clear those branches weren't input
dependent.  This could lead to timing attacks down the line.

This is not just theoretical.  During my tests, I have observed
suspect timings (that's why I looked at the assembly in the first
place).  I tried to tweak the implementations, to no avail (some of my
tweaks actually made things worse).

Using more reasonable optimisation settings (-O2) is not an option:
the performance of `-O3` is simply too juicy to be ignored.  Some
users *will* sacrifice security to use it, even if I tell them not to.

The crypto_verify functions emit very terse and clean assembly, which
contains no conditional branches, and no input dependent indices.
That I can trust.

src/monocypher.c		diff \| blob \| history
src/monocypher.h		diff \| blob \| history
tests/test.c		diff \| blob \| history