Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

strcase: add and use Curl_timestrcmp #9658

Closed
wants to merge 3 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Oct 6, 2022

This is a strcmp() alternative function for comparing "secrets", designed to take the same time no matter the content to not leak match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input string.

Reported-by: Trail of Bits

@bagder
Copy link
Member Author

bagder commented Oct 6, 2022

If anyone wants to bikeshed on the function name, please tell me a better one.

bagder added 3 commits Oct 7, 2022
This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits
@bagder bagder force-pushed the bagder/constant-time-strcmp branch from a64a863 to 6f46b2b Compare Oct 7, 2022
@bagder bagder closed this in ed5095e Oct 8, 2022
@bagder bagder deleted the bagder/constant-time-strcmp branch Oct 8, 2022
@dfandrich
Copy link
Collaborator

dfandrich commented Oct 8, 2022

FWIW, I looked into the names for similar functions used by other projects, but didn't get a chance to write this in time to really bikeshed it. But here goes anyway! Of the 24 functions/class names I found, 46% had some variation of "constant time", "const" "ct" in the name, and 50% had "time" or "timing" in the name (there is some overlap between the two). Of the rest, 12% had "crypto", "secure" or "slow" in the name (one sample for each), and 25% had completely generic names.

So, Curl_timestrcmp would fall into one of the more popular categories, but Curl_consttimestrcmp would fit into the even more popular category of names. But, the current name shouldn't be very surprising to someone new.

For completeness and posterity, here are the names I found:

ConstantTimeCompare
constant_time_compare
constant_time_eq
constant-time-equal
constantTimeEquals
constantTimeMemcmp
constEq
crypto-equality
ct_compare
fixed_time_eq
isEqual
mem_neq
osmo_constant_time_cmp
secure_compare
slowEquals
Str_compareConstantTime
strctcmp
streql
str_equals_timing_almost_safe
str_iseq
TimeConstantComparer
timingSafeEqual
VerifyBufsEqual

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants