Re: [PATCH net] ah: use crypto_memneq to check the ICV
On Fri, May 19, 2017 at 02:25:14PM +0200, Sabrina Dubroca wrote: > Hi Steffen, > > 2017-05-04, 12:41:24 +0200, Steffen Klassert wrote: > > On Wed, May 03, 2017 at 04:57:57PM +0200, Sabrina Dubroca wrote: > > > Signed-off-by: Sabrina Dubroca> > > --- > > > net/ipv4/ah4.c | 5 +++-- > > > net/ipv6/ah6.c | 5 +++-- > > > 2 files changed, 6 insertions(+), 4 deletions(-) > > > > Is this a fix for something? If so, please describe what it fixes. > > If not, it can wait until after the merge window and merged into > > ipsec-next then. > > Do you prefer that I resend the patch, or can you take it directly? No need to resend, I've just applied it directly. Thanks a lot Sabrina!
Re: [PATCH net] ah: use crypto_memneq to check the ICV
Hi Steffen, 2017-05-04, 12:41:24 +0200, Steffen Klassert wrote: > On Wed, May 03, 2017 at 04:57:57PM +0200, Sabrina Dubroca wrote: > > Signed-off-by: Sabrina Dubroca> > --- > > net/ipv4/ah4.c | 5 +++-- > > net/ipv6/ah6.c | 5 +++-- > > 2 files changed, 6 insertions(+), 4 deletions(-) > > Is this a fix for something? If so, please describe what it fixes. > If not, it can wait until after the merge window and merged into > ipsec-next then. Do you prefer that I resend the patch, or can you take it directly? I just checked, it applies cleanly on top of linux-next. Thanks, -- Sabrina
Re: [PATCH net] ah: use crypto_memneq to check the ICV
2017-05-04, 12:41:24 +0200, Steffen Klassert wrote: > On Wed, May 03, 2017 at 04:57:57PM +0200, Sabrina Dubroca wrote: > > Signed-off-by: Sabrina Dubroca> > --- > > net/ipv4/ah4.c | 5 +++-- > > net/ipv6/ah6.c | 5 +++-- > > 2 files changed, 6 insertions(+), 4 deletions(-) > > Is this a fix for something? If so, please describe what it fixes. > If not, it can wait until after the merge window and merged into > ipsec-next then. Yeah, not really. I suppose you could see it as a fix for the commit that introduced crypto_memneq and did some conversions (6bf37e5aa90f ("crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks")), but that may be a bit of a stretch. I can repost that for ipsec-next in a couple of weeks. Thanks, -- Sabrina
Re: [PATCH net] ah: use crypto_memneq to check the ICV
On Wed, May 03, 2017 at 04:57:57PM +0200, Sabrina Dubroca wrote: > Signed-off-by: Sabrina Dubroca> --- > net/ipv4/ah4.c | 5 +++-- > net/ipv6/ah6.c | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) Is this a fix for something? If so, please describe what it fixes. If not, it can wait until after the merge window and merged into ipsec-next then.
[PATCH net] ah: use crypto_memneq to check the ICV
Signed-off-by: Sabrina Dubroca--- net/ipv4/ah4.c | 5 +++-- net/ipv6/ah6.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index 22377c8ff14b..207350b30f88 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -1,5 +1,6 @@ #define pr_fmt(fmt) "IPsec: " fmt +#include #include #include #include @@ -277,7 +278,7 @@ static void ah_input_done(struct crypto_async_request *base, int err) auth_data = ah_tmp_auth(work_iph, ihl); icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len); - err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG: 0; + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; if (err) goto out; @@ -413,7 +414,7 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) goto out_free; } - err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG: 0; + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; if (err) goto out_free; diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index dda6035e3b84..ac747b13a8dc 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -25,6 +25,7 @@ #define pr_fmt(fmt) "IPv6: " fmt +#include #include #include #include @@ -481,7 +482,7 @@ static void ah6_input_done(struct crypto_async_request *base, int err) auth_data = ah_tmp_auth(work_iph, hdr_len); icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len); - err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; if (err) goto out; @@ -627,7 +628,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) goto out_free; } - err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; if (err) goto out_free; -- 2.12.2