[resend to linux-crypto]
Hi,
the following patches fix timing leaks which are introduced by using
(non-constant time) memcmp() to verify cryptograhic authentication tags.
Specifically, the AES-GCM and AES-CCM implementations in the IBM Power
in-Nest Crypto acceleration driver and the AEAD decryption function in the
Freescale SEC (talitos) driver are vulnerable to this kind of attack.
These timing leaks can be used by an attacker to find the correct
authentication tag value for arbitrary messages with far less effort
than brute-force testing all 2^n possible values for a n-bit tag.
The fix is rather simple: Use crypto_memneq() as the generic implementations
in crypto/* already do.
Kind regards,
David
David Gstir (2):
crypto: nx - Fix timing leak in GCM and CCM decryption
crypto: talitos - Fix timing leak in ESP ICV verification
drivers/crypto/nx/nx-aes-ccm.c | 2 +-
drivers/crypto/nx/nx-aes-gcm.c | 3 ++-
drivers/crypto/talitos.c | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
--
2.1.4
Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks. Fix this by using
crypto_memneq() instead.
Signed-off-by: David Gstir <[email protected]>
---
drivers/crypto/nx/nx-aes-ccm.c | 2 +-
drivers/crypto/nx/nx-aes-gcm.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/nx/nx-aes-ccm.c b/drivers/crypto/nx/nx-aes-ccm.c
index 73ef49922788..7038f364acb5 100644
--- a/drivers/crypto/nx/nx-aes-ccm.c
+++ b/drivers/crypto/nx/nx-aes-ccm.c
@@ -409,7 +409,7 @@ static int ccm_nx_decrypt(struct aead_request *req,
processed += to_process;
} while (processed < nbytes);
- rc = memcmp(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag,
+ rc = crypto_memneq(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag,
authsize) ? -EBADMSG : 0;
out:
spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
diff --git a/drivers/crypto/nx/nx-aes-gcm.c b/drivers/crypto/nx/nx-aes-gcm.c
index eee624f589b6..abd465f479c4 100644
--- a/drivers/crypto/nx/nx-aes-gcm.c
+++ b/drivers/crypto/nx/nx-aes-gcm.c
@@ -21,6 +21,7 @@
#include <crypto/internal/aead.h>
#include <crypto/aes.h>
+#include <crypto/algapi.h>
#include <crypto/scatterwalk.h>
#include <linux/module.h>
#include <linux/types.h>
@@ -418,7 +419,7 @@ mac:
itag, req->src, req->assoclen + nbytes,
crypto_aead_authsize(crypto_aead_reqtfm(req)),
SCATTERWALK_FROM_SG);
- rc = memcmp(itag, otag,
+ rc = crypto_memneq(itag, otag,
crypto_aead_authsize(crypto_aead_reqtfm(req))) ?
-EBADMSG : 0;
}
--
2.1.4
Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks. Fix this by using
crypto_memneq() instead.
Signed-off-by: David Gstir <[email protected]>
---
drivers/crypto/talitos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
index 46f531e19ccf..b6f9f42e2985 100644
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -977,7 +977,7 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev,
} else
oicv = (char *)&edesc->link_tbl[0];
- err = memcmp(oicv, icv, authsize) ? -EBADMSG : 0;
+ err = crypto_memneq(oicv, icv, authsize) ? -EBADMSG : 0;
}
kfree(edesc);
--
2.1.4
On Sun, Nov 15, 2015 at 05:14:40PM +0100, David Gstir wrote:
> [resend to linux-crypto]
>
> Hi,
>
> the following patches fix timing leaks which are introduced by using
> (non-constant time) memcmp() to verify cryptograhic authentication tags.
> Specifically, the AES-GCM and AES-CCM implementations in the IBM Power
> in-Nest Crypto acceleration driver and the AEAD decryption function in the
> Freescale SEC (talitos) driver are vulnerable to this kind of attack.
> These timing leaks can be used by an attacker to find the correct
> authentication tag value for arbitrary messages with far less effort
> than brute-force testing all 2^n possible values for a n-bit tag.
>
> The fix is rather simple: Use crypto_memneq() as the generic implementations
> in crypto/* already do.
Both patches applied.
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt