Andy Polyakov <ap...@openssl.org> wrote: >Brian Smith wrote: >> See >> https://github.com/openssl/openssl/commit/d6482a82bc2228327aa4ba98aeeecd9979542a31#diff-3aca3afd18ad75a8f6a09a9860bc6ef5R631 >> >> + volatile BN_ULONG *table = (volatile BN_ULONG *)buf; >> >> Why is `volatile` used here? Is it to work around the effective type >> (strict aliasing) violations or for some other reason? > > Isn't it obvious? Volatile is there to discourage compiler from > reordering loads from the the table. I mean concern is that if reordered > in specific manner loads might give away the information we are trying > to conceal.
Sorry, maybe these things are obvious to many people but they're not so obvious to me. I saw that after I posted this email, you added a comment that says something similar to what you wrote above. But, just to be absolutely clear: the concern is that the compiler might notice, "hey, this code is scanning this input array in a weird way. I can redo the math (in a way that will result in non-constant-time-access to the buffers containing secrets) so that this is much faster." So, maybe, it is not so much the order of the accesses that matter, but rather that the compiler might choose to do different math that arrives at the same results, but with different timing? >> I think it would >> be good to document this, or better, find a way to avoid needing to use >> `volatile` in the first place. > > Well, the only guaranteed way is to implement it in assembly. Note that > on most popular/relevant platform it *is* implemented in assembly. Yes, understood. And, in general, pepole should be using blinding for RSA and avoiding the other algorithms that use this code. Thanks for taking the time to answer my questions! I appreciate it. Cheers, Brian -- https://briansmith.org/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev