libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.

Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

0 files changed, 0 insertions, 0 deletions