diff options
author | David Gstir <david@sigma-star.at> | 2015-11-15 11:14:41 -0500 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2015-11-16 08:39:23 -0500 |
commit | cb8affb55c7e64816f3effcd9b2fc3268c016fac (patch) | |
tree | a4db924f12ad7421f71ca0ca10a374b4eb814267 | |
parent | 8005c49d9aea74d382f474ce11afbbc7d7130bec (diff) |
crypto: nx - Fix timing leak in GCM and CCM decryption
Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks. Fix this by using
crypto_memneq() instead.
Cc: stable@vger.kernel.org
Signed-off-by: David Gstir <david@sigma-star.at>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | drivers/crypto/nx/nx-aes-ccm.c | 2 | ||||
-rw-r--r-- | drivers/crypto/nx/nx-aes-gcm.c | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/drivers/crypto/nx/nx-aes-ccm.c b/drivers/crypto/nx/nx-aes-ccm.c index 73ef49922788..7038f364acb5 100644 --- a/drivers/crypto/nx/nx-aes-ccm.c +++ b/drivers/crypto/nx/nx-aes-ccm.c | |||
@@ -409,7 +409,7 @@ static int ccm_nx_decrypt(struct aead_request *req, | |||
409 | processed += to_process; | 409 | processed += to_process; |
410 | } while (processed < nbytes); | 410 | } while (processed < nbytes); |
411 | 411 | ||
412 | rc = memcmp(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag, | 412 | rc = crypto_memneq(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag, |
413 | authsize) ? -EBADMSG : 0; | 413 | authsize) ? -EBADMSG : 0; |
414 | out: | 414 | out: |
415 | spin_unlock_irqrestore(&nx_ctx->lock, irq_flags); | 415 | spin_unlock_irqrestore(&nx_ctx->lock, irq_flags); |
diff --git a/drivers/crypto/nx/nx-aes-gcm.c b/drivers/crypto/nx/nx-aes-gcm.c index eee624f589b6..abd465f479c4 100644 --- a/drivers/crypto/nx/nx-aes-gcm.c +++ b/drivers/crypto/nx/nx-aes-gcm.c | |||
@@ -21,6 +21,7 @@ | |||
21 | 21 | ||
22 | #include <crypto/internal/aead.h> | 22 | #include <crypto/internal/aead.h> |
23 | #include <crypto/aes.h> | 23 | #include <crypto/aes.h> |
24 | #include <crypto/algapi.h> | ||
24 | #include <crypto/scatterwalk.h> | 25 | #include <crypto/scatterwalk.h> |
25 | #include <linux/module.h> | 26 | #include <linux/module.h> |
26 | #include <linux/types.h> | 27 | #include <linux/types.h> |
@@ -418,7 +419,7 @@ mac: | |||
418 | itag, req->src, req->assoclen + nbytes, | 419 | itag, req->src, req->assoclen + nbytes, |
419 | crypto_aead_authsize(crypto_aead_reqtfm(req)), | 420 | crypto_aead_authsize(crypto_aead_reqtfm(req)), |
420 | SCATTERWALK_FROM_SG); | 421 | SCATTERWALK_FROM_SG); |
421 | rc = memcmp(itag, otag, | 422 | rc = crypto_memneq(itag, otag, |
422 | crypto_aead_authsize(crypto_aead_reqtfm(req))) ? | 423 | crypto_aead_authsize(crypto_aead_reqtfm(req))) ? |
423 | -EBADMSG : 0; | 424 | -EBADMSG : 0; |
424 | } | 425 | } |