Re: [PATCH] crypto: ccp/gcm - use const time tag comparison.
From: Eric Biggers
Date: Tue Jul 02 2019 - 11:53:46 EST
On Tue, Jul 02, 2019 at 03:41:23PM +0000, Gary R Hook wrote:
> On 7/1/19 7:25 PM, Eric Biggers wrote:
> > On Mon, Jul 01, 2019 at 05:01:32PM -0700, Cfir Cohen wrote:
> >> Avoid leaking GCM tag through timing side channel.
> >> Signed-off-by: Cfir Cohen <cfir@xxxxxxxxxx>
> >> ---
> >> drivers/crypto/ccp/ccp-ops.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >> diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
> >> index db8de89d990f..633670220f6c 100644
> >> --- a/drivers/crypto/ccp/ccp-ops.c
> >> +++ b/drivers/crypto/ccp/ccp-ops.c
> >> @@ -840,7 +840,8 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
> >> if (ret)
> >> goto e_tag;
> >> - ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
> >> + ret = crypto_memneq(tag.address, final_wa.address,
> >> + AES_BLOCK_SIZE) ? -EBADMSG : 0;
> >> ccp_dm_free(&tag);
> >> }
> >> --
> >> 188.8.131.520.gd8fdbe21b5-goog
> > Looks like this needs:
> > Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
> > Cc: <stable@xxxxxxxxxxxxxxx> # v4.12+
> Yes, it does. For clarity, does that mean you've taken care of this?
Herbert is the person who will apply this, so he'd need to do it. But it might
be better just to resend.