Re: [PATCH] crypto: pkcs7 - use constant-time digest comparison

Next message: syzbot: "Forwarded: [PATCH] KVM: guest_memfd: Restrict to order-0 folios until large folio support is implemented"
Previous message: Dmitry Baryshkov: "[PATCH v2 7/8] arm64: dts: qcom: sort out Iris power domains"
Next in thread: Daniel Hodges: "Re: [PATCH] crypto: pkcs7 - use constant-time digest comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ignat Korchagin

Date: Sun Feb 01 2026 - 05:55:43 EST

On Sun, Feb 1, 2026 at 5:41 AM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> On Sat, Jan 31, 2026 at 07:55:03PM -0800, Daniel Hodges wrote:
> > This creates a timing side-channel that could allow an
> > attacker to forge valid signatures by measuring verification time
> > and recovering the expected digest value byte-by-byte.
>
> Good luck with that. The memcmp just checks that the CMS object
> includes the hash of the data as a signed attribute. It's a consistency
> check of two attacker-controlled values, which happens before the real
> signature check. You may be confusing it with a MAC comparison.

On top of that the CMS object and the hash inside is "public", so even
if you have state-of-the-art quantum computer thing you can just take
the object and forge the signature "offline"

> - Eric