crypto: talitos - Fix timing leak in ESP ICV verification

iokill · herbertx · commit 79960943fdc1 · 2015-11-16T21:39:24.000+08:00
Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks. Fix this by using
crypto_memneq() instead.

Cc: stable@vger.kernel.org
Signed-off-by: David Gstir &lt;david@sigma-star.at&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
@@ -977,7 +977,7 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
 		} else
 			oicv = (char *)&edesc->link_tbl[0];
 
-		err = memcmp(oicv, icv, authsize) ? -EBADMSG : 0;
+		err = crypto_memneq(oicv, icv, authsize) ? -EBADMSG : 0;
 	}
 
 	kfree(edesc);

Original file line number	Diff line number	Diff line change
`@@ -977,7 +977,7 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,`
`977`	`977`	`} else`
`978`	`978`	`oicv = (char *)&edesc->link_tbl[0];`
`979`	`979`
`980`		`- err = memcmp(oicv, icv, authsize) ? -EBADMSG : 0;`
	`980`	`+ err = crypto_memneq(oicv, icv, authsize) ? -EBADMSG : 0;`
`981`	`981`	`}`
`982`	`982`
`983`	`983`	`kfree(edesc);`