crypto: rsa-pkcs1pad - use constant time memory comparison for MACs commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream. Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Suggested-by: Stephan Müller <smueller@chronox.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: linux-crypto@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 716986547f1f052a7f49b5e5502e76db3a32d3e7 [log] [tgz]
author: Jason A. Donenfeld <Jason@zx2c4.com> Sun Jun 11 23:20:23 2017 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Sat Jul 15 12:16:16 2017 +0200
tree: ebb1761cfabb4100d70d88c1a77440459750ef0a
parent: 0d6758f74a469ff34e353ddd9bf3229afff7915b [diff] [blame]
diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index 8baab43..7830d30 100644
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c

@@ -496,7 +496,7 @@
 		goto done;
 	pos++;
 
-	if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
+	if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size))
 		goto done;
 
 	pos += digest_info->size;
commit	716986547f1f052a7f49b5e5502e76db3a32d3e7	[log] [tgz]
author	Jason A. Donenfeld <Jason@zx2c4.com>	Sun Jun 11 23:20:23 2017 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Sat Jul 15 12:16:16 2017 +0200
tree	ebb1761cfabb4100d70d88c1a77440459750ef0a
parent	0d6758f74a469ff34e353ddd9bf3229afff7915b [diff] [blame]