On Tue, 2017-10-17 at 01:30 +0200, Jason A. Donenfeld wrote: > Mobile phone right now, so not able to write patch, but you probably > should be using crypto_memneq for comparing those two keys, not > memcmp.
I know that's a gut instinct, but I really don't see the point. If you actually get this to evaluate to "equal", you're already being attacked, and the attacker already knows they're trying to get the same key to be installed again. If it's not equal, you execute so much code beneath, going to the driver etc., that I'd think this particular time is in the noise. Also, this isn't something that the attacker can directly observe anyway, and if they can, then surely the fact that we *skip* a large amount of code when returning 0 is also observable. Besides, the only thing that can observe the timing is hostapd or wpa_supplicant, which obviously know the key (and in the fixed versions will already have done the comparison themselves). And lastly, if you wanted to use this as an oracle to get the key back from the kernel, then you already have admin permissions (in your network namespace), and can just sniff netlink traffic anyway. johannes
