Page MenuHomePhabricator

Suppress a harmless variable-time optimization by clang in memczero
ClosedPublic

Authored by deadalnix on Jun 4 2020, 10:09.

Details

Summary
  • Suppress a harmless variable-time optimization by clang in memczero

This has been not been caught by the new constant-time tests because
valgrind currently gives us a zero exit code even if finds errors, see
https://github.com/bitcoin-core/secp256k1/pull/723#discussion_r388246806 .

This commit also simplifies the arithmetic in memczero.

Note that the timing leak here was the bit whether a secret key was
out of range. This leak is harmless and not exploitable. It is just
our overcautious practice to prefer constant-time code even here.

  • Add test for memczero()

This is a backport of libsecp256k1 PR728

Test Plan
ninja all check check-secp256k1

Event Timeline

[Bot Message]
One or more PR numbers were detected in the summary.
Links to those PRs have been inserted into the summary for reference.

This revision is now accepted and ready to land.Jun 4 2020, 13:05