Re: crypto_memneq not backported to 3.10

2017-05-01 Thread Willy Tarreau 
Hi Jason,

On Mon, May 01, 2017 at 04:30:01PM +0200, Jason A. Donenfeld wrote:
> > I'll check if the 3.12 patches above can be safely backported, and I'll
> > have to re-apply the missing part of the one that was trimmed down
> > (commit 620c411 ("crypto: more robust crypto_memneq")).
> 
> I'm vaguely wondering if you ever decided on backporting this. After I
> reported the issue to Ubiquiti -- a random vendor doing ipsec with
> 3.10 -- they actually released a backport of these functions in a
> security update for their stuff. So I imagine others might want this
> sort of thing too.

I'll do it. It just happens that I've been quite busy lately so
no new 3.10 was released since you reported this ~1 month ago. I'll
get back to this ASAP.

Thanks for the heads up,
Willy

Re: crypto_memneq not backported to 3.10

2017-05-01 Thread Willy Tarreau 
Hi Jason,

On Mon, May 01, 2017 at 04:30:01PM +0200, Jason A. Donenfeld wrote:
> > I'll check if the 3.12 patches above can be safely backported, and I'll
> > have to re-apply the missing part of the one that was trimmed down
> > (commit 620c411 ("crypto: more robust crypto_memneq")).
> 
> I'm vaguely wondering if you ever decided on backporting this. After I
> reported the issue to Ubiquiti -- a random vendor doing ipsec with
> 3.10 -- they actually released a backport of these functions in a
> security update for their stuff. So I imagine others might want this
> sort of thing too.

I'll do it. It just happens that I've been quite busy lately so
no new 3.10 was released since you reported this ~1 month ago. I'll
get back to this ASAP.

Thanks for the heads up,
Willy

Re: crypto_memneq not backported to 3.10

2017-05-01 Thread Jason A. Donenfeld 
Hey Willy,

On Sun, Apr 9, 2017 at 3:25 PM, Willy Tarreau  wrote:
>
> Hi Jason,
>
> On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> > Hey Willy,
> >
> > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> > mac comparisons use non constant-time comparisons. Bad news bears.
> >
> > 3.12 got these backported with
> > d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> > suggest following suit, since many people are relying on this kernel
> > to do safe crypto.
>
> Interesting. I remembered seeing some crypto_memneq stuff in the past,
> and in fact there was one patch talking about this but trimmed down to
> only affect other parts since crypto_memneq is indeed not part of 3.10.
>
> I'll check if the 3.12 patches above can be safely backported, and I'll
> have to re-apply the missing part of the one that was trimmed down
> (commit 620c411 ("crypto: more robust crypto_memneq")).

I'm vaguely wondering if you ever decided on backporting this. After I
reported the issue to Ubiquiti -- a random vendor doing ipsec with
3.10 -- they actually released a backport of these functions in a
security update for their stuff. So I imagine others might want this
sort of thing too.

Jason

Re: crypto_memneq not backported to 3.10

2017-05-01 Thread Jason A. Donenfeld 
Hey Willy,

On Sun, Apr 9, 2017 at 3:25 PM, Willy Tarreau  wrote:
>
> Hi Jason,
>
> On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> > Hey Willy,
> >
> > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> > mac comparisons use non constant-time comparisons. Bad news bears.
> >
> > 3.12 got these backported with
> > d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> > suggest following suit, since many people are relying on this kernel
> > to do safe crypto.
>
> Interesting. I remembered seeing some crypto_memneq stuff in the past,
> and in fact there was one patch talking about this but trimmed down to
> only affect other parts since crypto_memneq is indeed not part of 3.10.
>
> I'll check if the 3.12 patches above can be safely backported, and I'll
> have to re-apply the missing part of the one that was trimmed down
> (commit 620c411 ("crypto: more robust crypto_memneq")).

I'm vaguely wondering if you ever decided on backporting this. After I
reported the issue to Ubiquiti -- a random vendor doing ipsec with
3.10 -- they actually released a backport of these functions in a
security update for their stuff. So I imagine others might want this
sort of thing too.

Jason

Re: crypto_memneq not backported to 3.10

2017-04-09 Thread Willy Tarreau 
Hi Jason,

On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> Hey Willy,
> 
> Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> mac comparisons use non constant-time comparisons. Bad news bears.
> 
> 3.12 got these backported with
> d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> suggest following suit, since many people are relying on this kernel
> to do safe crypto.

Interesting. I remembered seeing some crypto_memneq stuff in the past,
and in fact there was one patch talking about this but trimmed down to
only affect other parts since crypto_memneq is indeed not part of 3.10.

I'll check if the 3.12 patches above can be safely backported, and I'll
have to re-apply the missing part of the one that was trimmed down
(commit 620c411 ("crypto: more robust crypto_memneq")).

Thanks!
Willy

Re: crypto_memneq not backported to 3.10

2017-04-09 Thread Willy Tarreau 
Hi Jason,

On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> Hey Willy,
> 
> Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> mac comparisons use non constant-time comparisons. Bad news bears.
> 
> 3.12 got these backported with
> d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> suggest following suit, since many people are relying on this kernel
> to do safe crypto.

Interesting. I remembered seeing some crypto_memneq stuff in the past,
and in fact there was one patch talking about this but trimmed down to
only affect other parts since crypto_memneq is indeed not part of 3.10.

I'll check if the 3.12 patches above can be safely backported, and I'll
have to re-apply the missing part of the one that was trimmed down
(commit 620c411 ("crypto: more robust crypto_memneq")).

Thanks!
Willy

crypto_memneq not backported to 3.10

2017-04-09 Thread Jason A. Donenfeld 
Hey Willy,

Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
mac comparisons use non constant-time comparisons. Bad news bears.

3.12 got these backported with
d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
suggest following suit, since many people are relying on this kernel
to do safe crypto.

Thanks,
Jason

crypto_memneq not backported to 3.10

2017-04-09 Thread Jason A. Donenfeld 
Hey Willy,

Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
mac comparisons use non constant-time comparisons. Bad news bears.

3.12 got these backported with
d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
suggest following suit, since many people are relying on this kernel
to do safe crypto.

Thanks,
Jason