On 12/31/2014 12:41 AM, Michael Haardt wrote: >> I placed this piece in a new NOTES section. >> >> Some text here about what one should do instead of using memcmp() >> might be helpful. Do you have any suggestions? > > Obviously a comparison with constant CPU usage is asked for, which is > rather easy to implement given that secrets are usually only compared > for being equal. AFAIK neither POSIX nor C99 offers a function for that. > I don't know if glibc does. NetBSD does (consttime_memequal), but that > does not help portable code, so I have no good suggestion really. Thanks. I'll add this text to the page: +Instead, a function that performs comparisons in constant time is required. +Some operating systems provide such a function (e.g., NetBSD's +.BR const_memequal ()), +but no such function is specified in POSIX. +On Linux, it may be necessary to implement such a function oneself. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
