On Sun, Jun 11, 2017 at 4:36 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Sun, Jun 11, 2017 at 1:13 AM, Kalle Valo <kvalo@xxxxxxxxxxxxxx> wrote: > > "Jason A. Donenfeld" <Jason@xxxxxxxxx> writes: > > > >> Whenever you're comparing two MACs, it's important to do this using > >> crypto_memneq instead of memcmp. With memcmp, you leak timing information, > >> which could then be used to iteratively forge a MAC. > > > > Do you have any pointers where I could learn more about this? > > While not using C specifically, this talks about the problem generally: > https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html > Sorry for the stupid question, but the MAC address is in plaintext in the air anyway or easily accessible via user space tools. I fail to see what it is so secret about a MAC address in that code where that same MAC address is accessible via myriads of ways.
