Commit 0f534e4a authored by Eric Biggers's avatar Eric Biggers Committed by James Morris

KEYS: encrypted: use constant-time HMAC comparison

MACs should, in general, be compared using crypto_memneq() to prevent
timing attacks.

Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent 64d107d3
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#include <linux/scatterlist.h> #include <linux/scatterlist.h>
#include <linux/ctype.h> #include <linux/ctype.h>
#include <crypto/aes.h> #include <crypto/aes.h>
#include <crypto/algapi.h>
#include <crypto/hash.h> #include <crypto/hash.h>
#include <crypto/sha.h> #include <crypto/sha.h>
#include <crypto/skcipher.h> #include <crypto/skcipher.h>
...@@ -534,8 +535,8 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload, ...@@ -534,8 +535,8 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len); ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
if (ret < 0) if (ret < 0)
goto out; goto out;
ret = memcmp(digest, epayload->format + epayload->datablob_len, ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
sizeof digest); sizeof(digest));
if (ret) { if (ret) {
ret = -EINVAL; ret = -EINVAL;
dump_hmac("datablob", dump_hmac("datablob",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment