New function memeql_sec.

2 files changed, 20 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 3d12926c..23d976f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-03-14  Niels Möller  <nisse@diamant.hack.org>
+
+	* ccm.c (memeql_sec): New function, more side-channel silent than
+	memcmp.
+	(ccm_decrypt_message): Use it.
+
 2015-03-12  Niels Möller  <nisse@diamant.hack.org>
 
 	* base64.h (struct base64_encode_ctx): Micro optimization of
diff --git a/ccm.c b/ccm.c
index c5ff7908..b98bc9cf 100644
--- a/ccm.c
+++ b/ccm.c
@@ -246,6 +246,19 @@ ccm_encrypt_message(const void *cipher, nettle_cipher_func *f,
   ccm_digest(&ctx, cipher, f, tlength, tag);
 }
 
+/* FIXME: Should be made public, under some suitable name. */
+static int
+memeql_sec (const void *a, const void *b, size_t n)
+{
+  volatile const unsigned char *ap = (const unsigned char *) a;
+  volatile const unsigned char *bp = (const unsigned char *) b;
+  volatile unsigned char d;
+  size_t i;
+  for (d = i = 0; i < n; i++)
+    d |= (ap[i] ^ bp[i]);
+  return d == 0;
+}
+
 int
 ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
 		    size_t nlength, const uint8_t *nonce,
@@ -258,5 +271,5 @@ ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
   ccm_update(&ctx, cipher, f, alength, adata);
   ccm_decrypt(&ctx, cipher, f, mlength, dst, src);
   ccm_digest(&ctx, cipher, f, tlength, tag);
-  return (memcmp(tag, src + mlength, tlength) == 0);
+  return memeql_sec(tag, src + mlength, tlength);
 }