crypto: rsa-pkcs1pad - use constant time memory comparison for MACs

Otherwise, we enable all sorts of forgeries via timing attack.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Stephan Müller <smueller@chronox.de>
Cc: stable@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index 044bcfa69cba1bf9f3f344bec8ac76fdf21346ec..407c64bdcdd9a39cb7c00ab4338fa0cc395dec58 100644 (file)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -490,7 +490,7 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
                goto done;
        pos++;
 
-       if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
+       if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size))
                goto done;
 
        pos += digest_info->size;