Skip to content

Commit

Permalink
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
Browse files Browse the repository at this point in the history 
commit fec17cb upstream.

Otherwise, we enable all sorts of forgeries via timing attack.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Stephan Müller <smueller@chronox.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Jason A. Donenfeld authored and Greg Kroah-Hartman committed Jul 15, 2017
1 parent d56e029 commit f85a3c8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion crypto/rsa-pkcs1pad.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,7 +496,7 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
goto done;
pos++;

if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size))
goto done;

pos += digest_info->size;
Expand Down

0 comments on commit f85a3c8

Please sign in to comment.