Whenever you're comparing two MACs, it's important to do this using crypto_memneq instead of memcmp. With memcmp, you leak timing information, which could then be used to iteratively forge a MAC. This is far too basic of a mistake for us to have so pervasively in the year 2017, so let's begin cleaning this stuff up. The following 6 locations were found with some simple regex greps, but I'm sure more lurk below the surface. If you maintain some code or know somebody who maintains some code that deals with MACs, tell them to double check which comparison function they're using.
Jason A. Donenfeld (6): sunrpc: use constant time memory comparison for mac net/ipv6: use constant time memory comparison for mac ccree: use constant time memory comparison for macs and tags security/keys: use constant time memory comparison for macs bluetooth/smp: use constant time memory comparison for secret values mac80211/wpa: use constant time memory comparison for MACs Cc: Anna Schumaker <[email protected]> Cc: David Howells <[email protected]> Cc: David Safford <[email protected]> Cc: "David S. Miller" <[email protected]> Cc: Gilad Ben-Yossef <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> Cc: Gustavo Padovan <[email protected]> Cc: "J. Bruce Fields" <[email protected]> Cc: Jeff Layton <[email protected]> Cc: Johan Hedberg <[email protected]> Cc: Johannes Berg <[email protected]> Cc: Marcel Holtmann <[email protected]> Cc: Mimi Zohar <[email protected]> Cc: Trond Myklebust <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] drivers/staging/ccree/ssi_fips_ll.c | 17 ++++++++------- net/bluetooth/smp.c | 39 ++++++++++++++++++----------------- net/ipv6/seg6_hmac.c | 3 ++- net/mac80211/wpa.c | 9 ++++---- net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 ++- security/keys/trusted.c | 7 ++++--- 6 files changed, 42 insertions(+), 36 deletions(-) -- 2.13.1
