Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / 0f534e4a13496b02ae284f50fcb0263f6ea37007^! / .
commit0f534e4a13496b02ae284f50fcb0263f6ea37007[log] [tgz]
authorEric Biggers <ebiggers@google.com>Thu Jun 08 14:48:32 2017 +0100
committerJames Morris <james.l.morris@oracle.com>Fri Jun 09 13:29:47 2017 +1000
treea5200ddfa62a42340dd2ee2e918fb5b001240382
parent64d107d3acca1565c39c044c459fd18f70943534 [diff]
KEYS: encrypted: use constant-time HMAC comparison

MACs should, in general, be compared using crypto_memneq() to prevent
timing attacks.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 702c806..5c98c2f 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c

@@ -30,6 +30,7 @@
 #include <linux/scatterlist.h>
 #include <linux/ctype.h>
 #include <crypto/aes.h>
+#include <crypto/algapi.h>
 #include <crypto/hash.h>
 #include <crypto/sha.h>
 #include <crypto/skcipher.h>
@@ -534,8 +535,8 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
 	ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
 	if (ret < 0)
 		goto out;
-	ret = memcmp(digest, epayload->format + epayload->datablob_len,
-		     sizeof digest);
+	ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
+			    sizeof(digest));
 	if (ret) {
 		ret = -EINVAL;
 		dump_hmac("datablob",