Re: crypto_memneq not backported to 3.10
Hi Jason, On Mon, May 01, 2017 at 04:30:01PM +0200, Jason A. Donenfeld wrote: > > I'll check if the 3.12 patches above can be safely backported, and I'll > > have to re-apply the missing part of the one that was trimmed down > > (commit 620c411 ("crypto: more robust crypto_memneq")). > > I'm vaguely wondering if you ever decided on backporting this. After I > reported the issue to Ubiquiti -- a random vendor doing ipsec with > 3.10 -- they actually released a backport of these functions in a > security update for their stuff. So I imagine others might want this > sort of thing too. I'll do it. It just happens that I've been quite busy lately so no new 3.10 was released since you reported this ~1 month ago. I'll get back to this ASAP. Thanks for the heads up, Willy
Re: crypto_memneq not backported to 3.10
Hi Jason, On Mon, May 01, 2017 at 04:30:01PM +0200, Jason A. Donenfeld wrote: > > I'll check if the 3.12 patches above can be safely backported, and I'll > > have to re-apply the missing part of the one that was trimmed down > > (commit 620c411 ("crypto: more robust crypto_memneq")). > > I'm vaguely wondering if you ever decided on backporting this. After I > reported the issue to Ubiquiti -- a random vendor doing ipsec with > 3.10 -- they actually released a backport of these functions in a > security update for their stuff. So I imagine others might want this > sort of thing too. I'll do it. It just happens that I've been quite busy lately so no new 3.10 was released since you reported this ~1 month ago. I'll get back to this ASAP. Thanks for the heads up, Willy
Re: crypto_memneq not backported to 3.10
Hey Willy, On Sun, Apr 9, 2017 at 3:25 PM, Willy Tarreauwrote: > > Hi Jason, > > On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote: > > Hey Willy, > > > > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto > > mac comparisons use non constant-time comparisons. Bad news bears. > > > > 3.12 got these backported with > > d68e944a8fcb2c6212b38064771c9f5af7b0b92c, > > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd > > suggest following suit, since many people are relying on this kernel > > to do safe crypto. > > Interesting. I remembered seeing some crypto_memneq stuff in the past, > and in fact there was one patch talking about this but trimmed down to > only affect other parts since crypto_memneq is indeed not part of 3.10. > > I'll check if the 3.12 patches above can be safely backported, and I'll > have to re-apply the missing part of the one that was trimmed down > (commit 620c411 ("crypto: more robust crypto_memneq")). I'm vaguely wondering if you ever decided on backporting this. After I reported the issue to Ubiquiti -- a random vendor doing ipsec with 3.10 -- they actually released a backport of these functions in a security update for their stuff. So I imagine others might want this sort of thing too. Jason
Re: crypto_memneq not backported to 3.10
Hey Willy, On Sun, Apr 9, 2017 at 3:25 PM, Willy Tarreau wrote: > > Hi Jason, > > On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote: > > Hey Willy, > > > > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto > > mac comparisons use non constant-time comparisons. Bad news bears. > > > > 3.12 got these backported with > > d68e944a8fcb2c6212b38064771c9f5af7b0b92c, > > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd > > suggest following suit, since many people are relying on this kernel > > to do safe crypto. > > Interesting. I remembered seeing some crypto_memneq stuff in the past, > and in fact there was one patch talking about this but trimmed down to > only affect other parts since crypto_memneq is indeed not part of 3.10. > > I'll check if the 3.12 patches above can be safely backported, and I'll > have to re-apply the missing part of the one that was trimmed down > (commit 620c411 ("crypto: more robust crypto_memneq")). I'm vaguely wondering if you ever decided on backporting this. After I reported the issue to Ubiquiti -- a random vendor doing ipsec with 3.10 -- they actually released a backport of these functions in a security update for their stuff. So I imagine others might want this sort of thing too. Jason
Re: crypto_memneq not backported to 3.10
Hi Jason, On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote: > Hey Willy, > > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto > mac comparisons use non constant-time comparisons. Bad news bears. > > 3.12 got these backported with > d68e944a8fcb2c6212b38064771c9f5af7b0b92c, > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd > suggest following suit, since many people are relying on this kernel > to do safe crypto. Interesting. I remembered seeing some crypto_memneq stuff in the past, and in fact there was one patch talking about this but trimmed down to only affect other parts since crypto_memneq is indeed not part of 3.10. I'll check if the 3.12 patches above can be safely backported, and I'll have to re-apply the missing part of the one that was trimmed down (commit 620c411 ("crypto: more robust crypto_memneq")). Thanks! Willy
Re: crypto_memneq not backported to 3.10
Hi Jason, On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote: > Hey Willy, > > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto > mac comparisons use non constant-time comparisons. Bad news bears. > > 3.12 got these backported with > d68e944a8fcb2c6212b38064771c9f5af7b0b92c, > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd > suggest following suit, since many people are relying on this kernel > to do safe crypto. Interesting. I remembered seeing some crypto_memneq stuff in the past, and in fact there was one patch talking about this but trimmed down to only affect other parts since crypto_memneq is indeed not part of 3.10. I'll check if the 3.12 patches above can be safely backported, and I'll have to re-apply the missing part of the one that was trimmed down (commit 620c411 ("crypto: more robust crypto_memneq")). Thanks! Willy
crypto_memneq not backported to 3.10
Hey Willy, Linux 3.10 is inexplicably missing crypto_memneq, making all crypto mac comparisons use non constant-time comparisons. Bad news bears. 3.12 got these backported with d68e944a8fcb2c6212b38064771c9f5af7b0b92c, afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd suggest following suit, since many people are relying on this kernel to do safe crypto. Thanks, Jason
crypto_memneq not backported to 3.10
Hey Willy, Linux 3.10 is inexplicably missing crypto_memneq, making all crypto mac comparisons use non constant-time comparisons. Bad news bears. 3.12 got these backported with d68e944a8fcb2c6212b38064771c9f5af7b0b92c, afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd suggest following suit, since many people are relying on this kernel to do safe crypto. Thanks, Jason