KEYS: encrypted: use constant-time HMAC comparison
authorEric Biggers <ebiggers@google.com>
Thu, 8 Jun 2017 13:48:32 +0000 (14:48 +0100)
committerJames Morris <james.l.morris@oracle.com>
Fri, 9 Jun 2017 03:29:47 +0000 (13:29 +1000)
MACs should, in general, be compared using crypto_memneq() to prevent
timing attacks.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/keys/encrypted-keys/encrypted.c

index 702c80662069068fcbff56222f8c9243e7d1be20..5c98c2fe03f0368d8fe8874744ca1a9cec82b0e5 100644 (file)
@@ -30,6 +30,7 @@
 #include <linux/scatterlist.h>
 #include <linux/ctype.h>
 #include <crypto/aes.h>
+#include <crypto/algapi.h>
 #include <crypto/hash.h>
 #include <crypto/sha.h>
 #include <crypto/skcipher.h>
@@ -534,8 +535,8 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
        ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
        if (ret < 0)
                goto out;
-       ret = memcmp(digest, epayload->format + epayload->datablob_len,
-                    sizeof digest);
+       ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
+                           sizeof(digest));
        if (ret) {
                ret = -EINVAL;
                dump_hmac("datablob",