Re: [PATCH] crypto: pkcs7 - use constant-time digest comparison

Next message: Shardul Bankar: "[PATCH v2] hfsplus: fix s_fs_info leak on mount setup failure"
Previous message: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [PATCH] pstore/ram: fix buffer overflow in persistent_ram_save_old()"
In reply to: Ignat Korchagin: "Re: [PATCH] crypto: pkcs7 - use constant-time digest comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Daniel Hodges

Date: Sun Feb 01 2026 - 08:08:01 EST

On Sun, Feb 01, 2026 at 11:55:26AM +0100, Ignat Korchagin wrote:
> On Sun, Feb 1, 2026 at 5:41 AM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> >
> > On Sat, Jan 31, 2026 at 07:55:03PM -0800, Daniel Hodges wrote:
> > > This creates a timing side-channel that could allow an
> > > attacker to forge valid signatures by measuring verification time
> > > and recovering the expected digest value byte-by-byte.
> >
> > Good luck with that. The memcmp just checks that the CMS object
> > includes the hash of the data as a signed attribute. It's a consistency
> > check of two attacker-controlled values, which happens before the real
> > signature check. You may be confusing it with a MAC comparison.
>
> On top of that the CMS object and the hash inside is "public", so even
> if you have state-of-the-art quantum computer thing you can just take
> the object and forge the signature "offline"
>
> > - Eric

I just went through the code flow again and that makes sense, sorry
about that!