[openssl-dev] Why is `volatile` used in MOD_EXP_CTIME_COPY_FROM_PREBUF?
Brian Smith
brian at briansmith.org
Wed Jun 8 01:38:25 UTC 2016
Andy Polyakov <appro at openssl.org> wrote:
>Brian Smith wrote:
>> See
>> https://github.com/openssl/openssl/commit/d6482a82bc2228327aa4ba98aeeecd9979542a31#diff-3aca3afd18ad75a8f6a09a9860bc6ef5R631
>>
>> + volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
>>
>> Why is `volatile` used here? Is it to work around the effective type
>> (strict aliasing) violations or for some other reason?
>
> Isn't it obvious? Volatile is there to discourage compiler from
> reordering loads from the the table. I mean concern is that if reordered
> in specific manner loads might give away the information we are trying
> to conceal.
Sorry, maybe these things are obvious to many people but they're not
so obvious to me. I saw that after I posted this email, you added a
comment that says something similar to what you wrote above. But, just
to be absolutely clear: the concern is that the compiler might notice,
"hey, this code is scanning this input array in a weird way. I can
redo the math (in a way that will result in non-constant-time-access
to the buffers containing secrets) so that this is much faster." So,
maybe, it is not so much the order of the accesses that matter, but
rather that the compiler might choose to do different math that
arrives at the same results, but with different timing?
>> I think it would
>> be good to document this, or better, find a way to avoid needing to use
>> `volatile` in the first place.
>
> Well, the only guaranteed way is to implement it in assembly. Note that
> on most popular/relevant platform it *is* implemented in assembly.
Yes, understood. And, in general, pepole should be using blinding for
RSA and avoiding the other algorithms that use this code.
Thanks for taking the time to answer my questions! I appreciate it.
Cheers,
Brian
--
https://briansmith.org/
More information about the openssl-dev
mailing list