crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks

When comparing MAC hashes, AEAD authentication tags, or other hash values in the context of authentication or integrity checking, it is important not to leak timing information to a potential attacker, i.e. when communication happens over a network. Bytewise memory comparisons (such as memcmp) are usually optimized so that they return a nonzero value as soon as a mismatch is found. E.g, on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch and up to ~850 cyc for a full match (cold). This early-return behavior can leak timing information as a side channel, allowing an attacker to iteratively guess the correct result. This patch adds a new method crypto_memneq ("memory not equal to each other") to the crypto API that compares memory areas of the same length in roughly "constant time" (cache misses could change the timing, but since they don't reveal information about the content of the strings being compared, they are effectively benign). Iow, best and worst case behaviour take the same amount of time to complete (in contrast to memcmp). Note that crypto_memneq (unlike memcmp) can only be used to test for equality or inequality, NOT for lexicographical order. This, however, is not an issue for its use-cases within the crypto API. We tried to locate all of the places in the crypto API where memcmp was being used for authentication or integrity checking, and convert them over to crypto_memneq. crypto_memneq is declared noinline, placed in its own source file, and compiled with optimizations that might increase code size disabled ("Os") because a smart compiler (or LTO) might notice that the return value is always compared against zero/nonzero, and might then reintroduce the same early-return optimization that we are trying to avoid. Using #pragma or __attribute__ optimization annotations of the code for disabling optimization was avoided as it seems to be considered broken or unmaintained for long time in GCC [1]. Therefore, we work around that by specifying the compile flag for memneq.o directly in the Makefile. We found that this seems to be most appropriate. As we use ("Os"), this patch also provides a loop-free "fast-path" for frequently used 16 byte digests. Similarly to kernel library string functions, leave an option for future even further optimized architecture specific assembler implementations. This was a joint work of James Yonan and Daniel Borkmann. Also thanks for feedback from Florian Weimer on this and earlier proposals [2]. [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html [2] https://lkml.org/lkml/2013/2/10/131 Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Florian Weimer <fw@deneb.enyo.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: James Yonan <james@openvpn.net> 2013-09-26 04:20:39 -0400
committer: Herbert Xu <herbert@gondor.apana.org.au> 2013-10-07 02:17:06 -0400
commit: 6bf37e5aa90f18baf5acf4874bca505dd667c37f (patch)
tree: 7972d4009f662cf78abdbea3b4040316d46503c1
parent: d319fe2a0af3509f959d5195fb8916accbf14857 (diff)
8 files changed, 174 insertions, 14 deletions
diff --git a/crypto/Makefile b/crypto/Makefile
index 580af977f496..d6a401c58d17 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,8 +2,13 @@
 # Cryptographic API
 #
+# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
+# that will defeat memneq's actual purpose to prevent timing attacks.
+CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
+CFLAGS_memneq.o := -Os
 obj-$(CONFIG_CRYPTO) += crypto.o
-crypto-y := api.o cipher.o compress.o
+crypto-y := api.o cipher.o compress.o memneq.o
 obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 4a6a0696f8a3..1912b9be5043 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <crypto/algapi.h>
 #include "public_key.h"
 MODULE_LICENSE("GPL");
@@ -189,12 +190,12 @@ static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
                }
        }
-        if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
+        if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
                kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
                return -EBADMSG;
        }
-        if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
+        if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
                kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
                return -EKEYREJECTED;
        }
diff --git a/crypto/authenc.c b/crypto/authenc.c
index ffce19de05cf..2b3f4abda929 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -188,7 +188,7 @@ static void authenc_verify_ahash_update_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -227,7 +227,7 @@ static void authenc_verify_ahash_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -462,7 +462,7 @@ static int crypto_authenc_verify(struct aead_request *req,
        ihash = ohash + authsize;
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 static int crypto_authenc_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index ab53762fc309..c569d58de661 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -247,7 +247,7 @@ static void authenc_esn_verify_ahash_update_done(struct crypto_async_request *ar
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -296,7 +296,7 @@ static void authenc_esn_verify_ahash_update_done2(struct crypto_async_request *a
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -336,7 +336,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -568,7 +568,7 @@ static int crypto_authenc_esn_verify(struct aead_request *req)
        ihash = ohash + authsize;
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 static int crypto_authenc_esn_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/ccm.c b/crypto/ccm.c
index 499c91717d93..3e05499d183a 100644
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -363,7 +363,7 @@ static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
        if (!err) {
                err = crypto_ccm_auth(req, req->dst, cryptlen);
-                if (!err && memcmp(pctx->auth_tag, pctx->odata, authsize))
+                if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
                        err = -EBADMSG;
        }
        aead_request_complete(req, err);
@@ -422,7 +422,7 @@ static int crypto_ccm_decrypt(struct aead_request *req)
                return err;
        /* verify */
-        if (memcmp(authtag, odata, authsize))
+        if (crypto_memneq(authtag, odata, authsize))
                return -EBADMSG;
        return err;
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 43e1fb05ea54..b4f017939004 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -582,7 +582,7 @@ static int crypto_gcm_verify(struct aead_request *req,
        crypto_xor(auth_tag, iauth_tag, 16);
        scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
-        return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 }
 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
diff --git a/crypto/memneq.c b/crypto/memneq.c
new file mode 100644
index 000000000000..cd0162221c14
--- /dev/null
+++ b/crypto/memneq.c
@@ -0,0 +1,138 @@
+/*
+ * Constant-time equality testing of memory regions.
+ *
+ * Authors:
+ *
+ *   James Yonan <james@openvpn.net>
+ *   Daniel Borkmann <dborkman@redhat.com>
+ *
+ * This file is provided under a dual BSD/GPLv2 license.  When using or
+ * redistributing this file, you may do so under either license.
+ *
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
+ * The full GNU General Public License is included in this distribution
+ * in the file called LICENSE.GPL.
+ *
+ * BSD LICENSE
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of OpenVPN Technologies nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <crypto/algapi.h>
+#ifndef __HAVE_ARCH_CRYPTO_MEMNEQ
+/* Generic path for arbitrary size */
+static inline unsigned long
+__crypto_memneq_generic(const void *a, const void *b, size_t size)
+{
+        unsigned long neq = 0;
+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+        while (size >= sizeof(unsigned long)) {
+                neq |= *(unsigned long *)a ^ *(unsigned long *)b;
+                a += sizeof(unsigned long);
+                b += sizeof(unsigned long);
+                size -= sizeof(unsigned long);
+        }
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+        while (size > 0) {
+                neq |= *(unsigned char *)a ^ *(unsigned char *)b;
+                a += 1;
+                b += 1;
+                size -= 1;
+        }
+        return neq;
+}
+/* Loop-free fast-path for frequently used 16-byte size */
+static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
+{
+#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+        if (sizeof(unsigned long) == 8)
+                return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
+                      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
+        else if (sizeof(unsigned int) == 4)
+                return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
+                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
+                      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
+                      | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
+        else
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+                return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
+                      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
+                      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
+                      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
+                      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
+                      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
+                      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
+                      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
+                      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
+                      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
+                      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
+                      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
+                      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
+                      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
+                      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
+                      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
+}
+/* Compare two areas of memory without leaking timing information,
+ * and with special optimizations for common sizes.  Users should
+ * not call this function directly, but should instead use
+ * crypto_memneq defined in crypto/algapi.h.
+ */
+noinline unsigned long __crypto_memneq(const void *a, const void *b,
+                                       size_t size)
+{
+        switch (size) {
+        case 16:
+                return __crypto_memneq_16(a, b);
+        default:
+                return __crypto_memneq_generic(a, b, size);
+        }
+}
+EXPORT_SYMBOL(__crypto_memneq);
+#endif /* __HAVE_ARCH_CRYPTO_MEMNEQ */
diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 418d270e1806..e73c19e90e38 100644
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -386,5 +386,21 @@ static inline int crypto_requires_sync(u32 type, u32 mask)
        return (type ^ CRYPTO_ALG_ASYNC) & mask & CRYPTO_ALG_ASYNC;
 }
-#endif  /* _CRYPTO_ALGAPI_H */
+noinline unsigned long __crypto_memneq(const void *a, const void *b, size_t size);
+/**
+ * crypto_memneq - Compare two areas of memory without leaking
+ *                 timing information.
+ *
+ * @a: One area of memory
+ * @b: Another area of memory
+ * @size: The size of the area.
+ *
+ * Returns 0 when data is equal, 1 otherwise.
+ */
+static inline int crypto_memneq(const void *a, const void *b, size_t size)
+{
+        return __crypto_memneq(a, b, size) != 0UL ? 1 : 0;
+}
+#endif  /* _CRYPTO_ALGAPI_H */
author	James Yonan <james@openvpn.net>	2013-09-26 04:20:39 -0400
committer	Herbert Xu <herbert@gondor.apana.org.au>	2013-10-07 02:17:06 -0400
commit	6bf37e5aa90f18baf5acf4874bca505dd667c37f (patch)
tree	7972d4009f662cf78abdbea3b4040316d46503c1
parent	d319fe2a0af3509f959d5195fb8916accbf14857 (diff)

diff --git a/crypto/Makefile b/crypto/Makefile index 580af977f496..d6a401c58d17 100644 --- a/crypto/Makefile +++ b/crypto/Makefile
@@ -2,8 +2,13 @@
2	# Cryptographic API	2	# Cryptographic API
3	#	3	#
4		4
		5	# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
		6	# that will defeat memneq's actual purpose to prevent timing attacks.
		7	CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
		8	CFLAGS_memneq.o := -Os
		9
5	obj-$(CONFIG_CRYPTO) += crypto.o	10	obj-$(CONFIG_CRYPTO) += crypto.o
6	crypto-y := api.o cipher.o compress.o	11	crypto-y := api.o cipher.o compress.o memneq.o
7		12
8	obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o	13	obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
9		14


diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 4a6a0696f8a3..1912b9be5043 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c
@@ -13,6 +13,7 @@
13	#include <linux/module.h>	13	#include <linux/module.h>
14	#include <linux/kernel.h>	14	#include <linux/kernel.h>
15	#include <linux/slab.h>	15	#include <linux/slab.h>
		16	#include <crypto/algapi.h>
16	#include "public_key.h"	17	#include "public_key.h"
17		18
18	MODULE_LICENSE("GPL");	19	MODULE_LICENSE("GPL");
@@ -189,12 +190,12 @@ static int RSA_verify(const u8 H, const u8 EM, size_t k, size_t hash_size,
189	}	190	}
190	}	191	}
191		192
192	if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {	193	if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
193	kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");	194	kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
194	return -EBADMSG;	195	return -EBADMSG;
195	}	196	}
196		197
197	if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {	198	if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
198	kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");	199	kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
199	return -EKEYREJECTED;	200	return -EKEYREJECTED;
200	}	201	}


diff --git a/crypto/authenc.c b/crypto/authenc.c index ffce19de05cf..2b3f4abda929 100644 --- a/crypto/authenc.c +++ b/crypto/authenc.c
@@ -188,7 +188,7 @@ static void authenc_verify_ahash_update_done(struct crypto_async_request *areq,
188	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	188	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
189	authsize, 0);	189	authsize, 0);
190		190
191	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;	191	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
192	if (err)	192	if (err)
193	goto out;	193	goto out;
194		194
@@ -227,7 +227,7 @@ static void authenc_verify_ahash_done(struct crypto_async_request *areq,
227	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	227	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
228	authsize, 0);	228	authsize, 0);
229		229
230	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;	230	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
231	if (err)	231	if (err)
232	goto out;	232	goto out;
233		233
@@ -462,7 +462,7 @@ static int crypto_authenc_verify(struct aead_request *req,
462	ihash = ohash + authsize;	462	ihash = ohash + authsize;
463	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	463	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
464	authsize, 0);	464	authsize, 0);
465	return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;	465	return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
466	}	466	}
467		467
468	static int crypto_authenc_iverify(struct aead_request req, u8 iv,	468	static int crypto_authenc_iverify(struct aead_request req, u8 iv,


diff --git a/crypto/authencesn.c b/crypto/authencesn.c index ab53762fc309..c569d58de661 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c
@@ -247,7 +247,7 @@ static void authenc_esn_verify_ahash_update_done(struct crypto_async_request *ar
247	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	247	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
248	authsize, 0);	248	authsize, 0);
249		249
250	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;	250	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
251	if (err)	251	if (err)
252	goto out;	252	goto out;
253		253
@@ -296,7 +296,7 @@ static void authenc_esn_verify_ahash_update_done2(struct crypto_async_request *a
296	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	296	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
297	authsize, 0);	297	authsize, 0);
298		298
299	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;	299	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
300	if (err)	300	if (err)
301	goto out;	301	goto out;
302		302
@@ -336,7 +336,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
336	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	336	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
337	authsize, 0);	337	authsize, 0);
338		338
339	err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;	339	err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
340	if (err)	340	if (err)
341	goto out;	341	goto out;
342		342
@@ -568,7 +568,7 @@ static int crypto_authenc_esn_verify(struct aead_request *req)
568	ihash = ohash + authsize;	568	ihash = ohash + authsize;
569	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,	569	scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
570	authsize, 0);	570	authsize, 0);
571	return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;	571	return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
572	}	572	}
573		573
574	static int crypto_authenc_esn_iverify(struct aead_request req, u8 iv,	574	static int crypto_authenc_esn_iverify(struct aead_request req, u8 iv,


diff --git a/crypto/ccm.c b/crypto/ccm.c index 499c91717d93..3e05499d183a 100644 --- a/crypto/ccm.c +++ b/crypto/ccm.c
@@ -363,7 +363,7 @@ static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
363		363
364	if (!err) {	364	if (!err) {
365	err = crypto_ccm_auth(req, req->dst, cryptlen);	365	err = crypto_ccm_auth(req, req->dst, cryptlen);
366	if (!err && memcmp(pctx->auth_tag, pctx->odata, authsize))	366	if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
367	err = -EBADMSG;	367	err = -EBADMSG;
368	}	368	}
369	aead_request_complete(req, err);	369	aead_request_complete(req, err);
@@ -422,7 +422,7 @@ static int crypto_ccm_decrypt(struct aead_request *req)
422	return err;	422	return err;
423		423
424	/* verify */	424	/* verify */
425	if (memcmp(authtag, odata, authsize))	425	if (crypto_memneq(authtag, odata, authsize))
426	return -EBADMSG;	426	return -EBADMSG;
427		427
428	return err;	428	return err;


diff --git a/crypto/gcm.c b/crypto/gcm.c index 43e1fb05ea54..b4f017939004 100644 --- a/crypto/gcm.c +++ b/crypto/gcm.c
@@ -582,7 +582,7 @@ static int crypto_gcm_verify(struct aead_request *req,
582		582
583	crypto_xor(auth_tag, iauth_tag, 16);	583	crypto_xor(auth_tag, iauth_tag, 16);
584	scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);	584	scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
585	return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;	585	return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
586	}	586	}
587		587
588	static void gcm_decrypt_done(struct crypto_async_request *areq, int err)	588	static void gcm_decrypt_done(struct crypto_async_request *areq, int err)


diff --git a/crypto/memneq.c b/crypto/memneq.c new file mode 100644 index 000000000000..cd0162221c14 --- /dev/null +++ b/crypto/memneq.c
@@ -0,0 +1,138 @@
		1	/*
		2	* Constant-time equality testing of memory regions.
		3	*
		4	* Authors:
		5	*
		6	* James Yonan <james@openvpn.net>
		7	* Daniel Borkmann <dborkman@redhat.com>
		8	*
		9	* This file is provided under a dual BSD/GPLv2 license. When using or
		10	* redistributing this file, you may do so under either license.
		11	*
		12	* GPL LICENSE SUMMARY
		13	*
		14	* Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
		15	*
		16	* This program is free software; you can redistribute it and/or modify
		17	* it under the terms of version 2 of the GNU General Public License as
		18	* published by the Free Software Foundation.
		19	*
		20	* This program is distributed in the hope that it will be useful, but
		21	* WITHOUT ANY WARRANTY; without even the implied warranty of
		22	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		23	* General Public License for more details.
		24	*
		25	* You should have received a copy of the GNU General Public License
		26	* along with this program; if not, write to the Free Software
		27	* Foundation, Inc., 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
		28	* The full GNU General Public License is included in this distribution
		29	* in the file called LICENSE.GPL.
		30	*
		31	* BSD LICENSE
		32	*
		33	* Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
		34	*
		35	* Redistribution and use in source and binary forms, with or without
		36	* modification, are permitted provided that the following conditions
		37	* are met:
		38	*
		39	* * Redistributions of source code must retain the above copyright
		40	* notice, this list of conditions and the following disclaimer.
		41	* * Redistributions in binary form must reproduce the above copyright
		42	* notice, this list of conditions and the following disclaimer in
		43	* the documentation and/or other materials provided with the
		44	* distribution.
		45	* * Neither the name of OpenVPN Technologies nor the names of its
		46	* contributors may be used to endorse or promote products derived
		47	* from this software without specific prior written permission.
		48	*
		49	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
		50	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
		51	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
		52	* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
		53	* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		54	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
		55	* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		56	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		57	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		58	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
		59	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		60	*/
		61
		62	#include <crypto/algapi.h>
		63
		64	#ifndef __HAVE_ARCH_CRYPTO_MEMNEQ
		65
		66	/* Generic path for arbitrary size */
		67	static inline unsigned long
		68	__crypto_memneq_generic(const void a, const void b, size_t size)
		69	{
		70	unsigned long neq = 0;
		71
		72	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
		73	while (size >= sizeof(unsigned long)) {
		74	neq \|= (unsigned long )a ^ (unsigned long )b;
		75	a += sizeof(unsigned long);
		76	b += sizeof(unsigned long);
		77	size -= sizeof(unsigned long);
		78	}
		79	#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
		80	while (size > 0) {
		81	neq \|= (unsigned char )a ^ (unsigned char )b;
		82	a += 1;
		83	b += 1;
		84	size -= 1;
		85	}
		86	return neq;
		87	}
		88
		89	/* Loop-free fast-path for frequently used 16-byte size */
		90	static inline unsigned long __crypto_memneq_16(const void a, const void b)
		91	{
		92	#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
		93	if (sizeof(unsigned long) == 8)
		94	return (((unsigned long )(a) ^ (unsigned long )(b))
		95	\| ((unsigned long )(a+8) ^ (unsigned long )(b+8)));
		96	else if (sizeof(unsigned int) == 4)
		97	return (((unsigned int )(a) ^ (unsigned int )(b))
		98	\| ((unsigned int )(a+4) ^ (unsigned int )(b+4))
		99	\| ((unsigned int )(a+8) ^ (unsigned int )(b+8))
		100	\| ((unsigned int )(a+12) ^ (unsigned int )(b+12)));
		101	else
		102	#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
		103	return (((unsigned char )(a) ^ (unsigned char )(b))
		104	\| ((unsigned char )(a+1) ^ (unsigned char )(b+1))
		105	\| ((unsigned char )(a+2) ^ (unsigned char )(b+2))
		106	\| ((unsigned char )(a+3) ^ (unsigned char )(b+3))
		107	\| ((unsigned char )(a+4) ^ (unsigned char )(b+4))
		108	\| ((unsigned char )(a+5) ^ (unsigned char )(b+5))
		109	\| ((unsigned char )(a+6) ^ (unsigned char )(b+6))
		110	\| ((unsigned char )(a+7) ^ (unsigned char )(b+7))
		111	\| ((unsigned char )(a+8) ^ (unsigned char )(b+8))
		112	\| ((unsigned char )(a+9) ^ (unsigned char )(b+9))
		113	\| ((unsigned char )(a+10) ^ (unsigned char )(b+10))
		114	\| ((unsigned char )(a+11) ^ (unsigned char )(b+11))
		115	\| ((unsigned char )(a+12) ^ (unsigned char )(b+12))
		116	\| ((unsigned char )(a+13) ^ (unsigned char )(b+13))
		117	\| ((unsigned char )(a+14) ^ (unsigned char )(b+14))
		118	\| ((unsigned char )(a+15) ^ (unsigned char )(b+15)));
		119	}
		120
		121	/* Compare two areas of memory without leaking timing information,
		122	* and with special optimizations for common sizes. Users should
		123	* not call this function directly, but should instead use
		124	* crypto_memneq defined in crypto/algapi.h.
		125	*/
		126	noinline unsigned long __crypto_memneq(const void a, const void b,
		127	size_t size)
		128	{
		129	switch (size) {
		130	case 16:
		131	return __crypto_memneq_16(a, b);
		132	default:
		133	return __crypto_memneq_generic(a, b, size);
		134	}
		135	}
		136	EXPORT_SYMBOL(__crypto_memneq);
		137
		138	#endif /* __HAVE_ARCH_CRYPTO_MEMNEQ */


diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 418d270e1806..e73c19e90e38 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h
@@ -386,5 +386,21 @@ static inline int crypto_requires_sync(u32 type, u32 mask)
386	return (type ^ CRYPTO_ALG_ASYNC) & mask & CRYPTO_ALG_ASYNC;	386	return (type ^ CRYPTO_ALG_ASYNC) & mask & CRYPTO_ALG_ASYNC;
387	}	387	}
388		388
389	#endif /* _CRYPTO_ALGAPI_H */	389	noinline unsigned long __crypto_memneq(const void a, const void b, size_t size);
		390
		391	/**
		392	* crypto_memneq - Compare two areas of memory without leaking
		393	* timing information.
		394	*
		395	* @a: One area of memory
		396	* @b: Another area of memory
		397	* @size: The size of the area.
		398	*
		399	* Returns 0 when data is equal, 1 otherwise.
		400	*/
		401	static inline int crypto_memneq(const void a, const void b, size_t size)
		402	{
		403	return __crypto_memneq(a, b, size) != 0UL ? 1 : 0;
		404	}
390		405
		406	#endif /* _CRYPTO_ALGAPI_H */