On 03-05-17 22:15, Steffan Karger wrote: > On 26-04-17 18:00, David Sommerseth wrote: >> In addition it moves the hash verification away from memcmp() to >> memcmp_constant_time(). And slightly it enhances the layout of the >> --verify-hash section in the man page. > > Hashes are public, so there is no real need to use > memcmp_constant_time() here. It doesn't hurt either though - so I won't > complain further if you prefer to keep it ;-)
Hrmpf, on sending I realize this is not the right argument. Public doesn't matter (MACs are public too), what matters is that we are not comparing attacker input (a MAC), but the calculated hash of attacker input (the hash of the supplied cert). As long as the hash function is preimage resistant, we don't have to do constant time comparison. (And SHA1/SHA256 and even MD5 are pre-image resistant.) Hashing the inputs and comparing the hashes actually is one of the options to do a constant time memcmp :-) -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
