KEYS: trusted_tpm1: Compare HMAC values in constant time

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

To prevent timing attacks, HMAC value comparison needs to be constant
time. Replace the memcmp() with the correct function, crypto_memneq().

[For the Fixes commit I used the commit that introduced the memcmp().
It predates the introduction of crypto_memneq(), but it was still a bug
at the time even though a helper function didn't exist yet.]

Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

Eric Biggers and committed by

Jarkko Sakkinen 6 months ago eed0e3d3 fec734e8

+4 -3

1 changed file

expand all

security

keys

trusted-keys

trusted_tpm1.c

+4 -3

security/keys/trusted-keys/trusted_tpm1.c

··· 7 7 */ 8 8 9 9 #include <crypto/hash_info.h> 10 + #include <crypto/utils.h> 10 11 #include <linux/init.h> 11 12 #include <linux/slab.h> 12 13 #include <linux/parser.h> ··· 242 241 if (ret < 0) 243 242 goto out; 244 243 245 - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) 244 + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) 246 245 ret = -EINVAL; 247 246 out: 248 247 kfree_sensitive(sdesc); ··· 335 334 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); 336 335 if (ret < 0) 337 336 goto out; 338 - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 337 + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { 339 338 ret = -EINVAL; 340 339 goto out; 341 340 } ··· 344 343 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); 345 344 if (ret < 0) 346 345 goto out; 347 - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 346 + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) 348 347 ret = -EINVAL; 349 348 out: 350 349 kfree_sensitive(sdesc);