8 files changed, 174 insertions, 14 deletions

diff --git a/crypto/Makefile b/crypto/Makefile
index 580af977f496..d6a401c58d17 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,8 +2,13 @@
 # Cryptographic API
 #
 
+# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
+# that will defeat memneq's actual purpose to prevent timing attacks.
+CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
+CFLAGS_memneq.o := -Os
+
 obj-$(CONFIG_CRYPTO) += crypto.o
-crypto-y := api.o cipher.o compress.o
+crypto-y := api.o cipher.o compress.o memneq.o
 
 obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
 
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 4a6a0696f8a3..1912b9be5043 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <crypto/algapi.h>
 #include "public_key.h"
 
 MODULE_LICENSE("GPL");
@@ -189,12 +190,12 @@ static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
                 }
         }
 
-        if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
+        if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
                 kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
                 return -EBADMSG;
         }
 
-        if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
+        if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
                 kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
                 return -EKEYREJECTED;
         }
diff --git a/crypto/authenc.c b/crypto/authenc.c
index ffce19de05cf..2b3f4abda929 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -188,7 +188,7 @@ static void authenc_verify_ahash_update_done(struct crypto_async_request *areq,
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
 
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
         if (err)
                 goto out;
 
@@ -227,7 +227,7 @@ static void authenc_verify_ahash_done(struct crypto_async_request *areq,
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
 
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
         if (err)
                 goto out;
 
@@ -462,7 +462,7 @@ static int crypto_authenc_verify(struct aead_request *req,
         ihash = ohash + authsize;
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 
 static int crypto_authenc_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index ab53762fc309..c569d58de661 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -247,7 +247,7 @@ static void authenc_esn_verify_ahash_update_done(struct crypto_async_request *ar
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
 
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
         if (err)
                 goto out;
 
@@ -296,7 +296,7 @@ static void authenc_esn_verify_ahash_update_done2(struct crypto_async_request *a
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
 
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
         if (err)
                 goto out;
 
@@ -336,7 +336,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
 
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
         if (err)
                 goto out;
 
@@ -568,7 +568,7 @@ static int crypto_authenc_esn_verify(struct aead_request *req)
         ihash = ohash + authsize;
         scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                  authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 
 static int crypto_authenc_esn_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/ccm.c b/crypto/ccm.c
index 499c91717d93..3e05499d183a 100644
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -363,7 +363,7 @@ static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
 
         if (!err) {
                 err = crypto_ccm_auth(req, req->dst, cryptlen);
-                if (!err && memcmp(pctx->auth_tag, pctx->odata, authsize))
+                if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
                         err = -EBADMSG;
         }
         aead_request_complete(req, err);
@@ -422,7 +422,7 @@ static int crypto_ccm_decrypt(struct aead_request *req)
                 return err;
 
         /* verify */
-        if (memcmp(authtag, odata, authsize))
+        if (crypto_memneq(authtag, odata, authsize))
                 return -EBADMSG;
 
         return err;
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 43e1fb05ea54..b4f017939004 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -582,7 +582,7 @@ static int crypto_gcm_verify(struct aead_request *req,
 
         crypto_xor(auth_tag, iauth_tag, 16);
         scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
-        return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 }
 
 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
diff --git a/crypto/memneq.c b/crypto/memneq.c
new file mode 100644
index 000000000000..cd0162221c14
--- /dev/null
+++ b/crypto/memneq.c
@@ -0,0 +1,138 @@
+/*
+ * Constant-time equality testing of memory regions.
+ *
+ * Authors:
+ *
+ *   James Yonan <james@openvpn.net>
+ *   Daniel Borkmann <dborkman@redhat.com>
+ *
+ * This file is provided under a dual BSD/GPLv2 license.  When using or
+ * redistributing this file, you may do so under either license.
+ *
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
+ * The full GNU General Public License is included in this distribution
+ * in the file called LICENSE.GPL.
+ *
+ * BSD LICENSE
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of OpenVPN Technologies nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <crypto/algapi.h>
+
+#ifndef __HAVE_ARCH_CRYPTO_MEMNEQ
+
+/* Generic path for arbitrary size */
+static inline unsigned long
+__crypto_memneq_generic(const void *a, const void *b, size_t size)
+{
+        unsigned long neq = 0;
+
+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+        while (size >= sizeof(unsigned long)) {
+                neq |= *(unsigned long *)a ^ *(unsigned long *)b;
+                a += sizeof(unsigned long);
+                b += sizeof(unsigned long);
+                size -= sizeof(unsigned long);
+        }
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+        while (size > 0) {
+                neq |= *(unsigned char *)a ^ *(unsigned char *)b;
+                a += 1;
+                b += 1;
+                size -= 1;
+        }
+        return neq;
+}
+
+/* Loop-free fast-path for frequently used 16-byte size */
+static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
+{
+#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+        if (sizeof(unsigned long) == 8)
+                return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
+                      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
+        else if (sizeof(unsigned int) == 4)
+                return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
+                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
+                      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
+                      | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
+        else
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+                return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
+                      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
+                      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
+                      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
+                      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
+                      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
+                      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
+                      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
+                      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
+                      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
+                      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
+                      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
+                      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
+                      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
+                      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
+                      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
+}
+
+/* Compare two areas of memory without leaking timing information,
+ * and with special optimizations for common sizes.  Users should
+ * not call this function directly, but should instead use
+ * crypto_memneq defined in crypto/algapi.h.
+ */
+noinline unsigned long __crypto_memneq(const void *a, const void *b,
+                                       size_t size)
+{
+        switch (size) {
+        case 16:
+                return __crypto_memneq_16(a, b);
+        default:
+                return __crypto_memneq_generic(a, b, size);
+        }
+}
+EXPORT_SYMBOL(__crypto_memneq);
+
+#endif /* __HAVE_ARCH_CRYPTO_MEMNEQ */
diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 418d270e1806..e73c19e90e38 100644
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -386,5 +386,21 @@ static inline int crypto_requires_sync(u32 type, u32 mask)
         return (type ^ CRYPTO_ALG_ASYNC) & mask & CRYPTO_ALG_ASYNC;
 }
 
-#endif  /* _CRYPTO_ALGAPI_H */
+noinline unsigned long __crypto_memneq(const void *a, const void *b, size_t size);
+
+/**
+ * crypto_memneq - Compare two areas of memory without leaking
+ *                 timing information.
+ *
+ * @a: One area of memory
+ * @b: Another area of memory
+ * @size: The size of the area.
+ *
+ * Returns 0 when data is equal, 1 otherwise.
+ */
+static inline int crypto_memneq(const void *a, const void *b, size_t size)
+{
+        return __crypto_memneq(a, b, size) != 0UL ? 1 : 0;
+}
 
+#endif  /* _CRYPTO_ALGAPI_H */