Re: [PATCH] crypto: rsassa-pkcs1: use constant-time comparison for digest and signature verification

From: Ignat Korchagin

Date: Sat Jul 11 2026 - 04:00:58 EST


On Sat, Jul 11, 2026 at 6:19 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, Jul 10, 2026 at 05:37:18PM -0400, Eric Biggers wrote:
> > On Fri, Jul 10, 2026 at 07:29:33PM +0200, David C.C.M. Gall wrote:
> > > Replace memcmp() with crypto_memneq() for cryptographic digest and
> > > signature comparisons to prevent timing side-channel attacks.
> > >
> > > crypto/rsassa-pkcs1.c: RSA signature digest verification used memcmp
> > > which can leak valid prefix length via timing analysis, user data
> > > could reach the leaky comparison via the digest argument to verify.
> > >
> > > Assisted-by: gregkh_clanker_t1000
> > > Signed-off-by: David C.C.M. Gall <david.ccm.gall@xxxxxxxxxxxxxx>
> >
> > While we should use crypto_memneq() on MACs, auth tags, and other secret
> > data, I don't think we should let it creep into domains where it is
> > clearly not needed, like public key signature verification.
>
> But isn't this user-controlled data and so a user could use it to figure
> out the key?

This is signature verification with a public key. So the user knows
the key already.

> thanks,
>
> greg k-h
>

Ignat