>>> See >>> https://github.com/openssl/openssl/commit/d6482a82bc2228327aa4ba98aeeecd9979542a31#diff-3aca3afd18ad75a8f6a09a9860bc6ef5R631 >>> >>> + volatile BN_ULONG *table = (volatile BN_ULONG *)buf; >>> >>> Why is `volatile` used here? Is it to work around the effective type >>> (strict aliasing) violations or for some other reason? >> >> Isn't it obvious? Volatile is there to discourage compiler from >> reordering loads from the the table. I mean concern is that if reordered >> in specific manner loads might give away the information we are trying >> to conceal. > > Sorry, maybe these things are obvious to many people but they're not > so obvious to me. I saw that after I posted this email, you added a > comment that says something similar to what you wrote above. But, just > to be absolutely clear: the concern is that the compiler might notice, > "hey, this code is scanning this input array in a weird way. I can > redo the math (in a way that will result in non-constant-time-access > to the buffers containing secrets) so that this is much faster." So, > maybe, it is not so much the order of the accesses that matter, but > rather that the compiler might choose to do different math that > arrives at the same results, but with different timing?
Well, it's all about timing *variation* depending on attacker's activity. But it's not really about making timing independent on attacker's activity, but making it independent on secret material. I mean it *may* depend on attacker's activity, but this whichever dependency may not depend on secret material. And it may not depend on it during operation either. I mean it's not enough to make overall time independent, but even each intermediate step. 'volatile' formally obliges compiler to actually perform all the references (none can be omitted, that would be catastrophic scenario) and even preserve their order (concern is that compiler would regroup in manner that would allow attacker to trace the execution which in turn might give away information). -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
