From: Johannes Berg <johannes@sipsolutions.net>
To: Emmanuel Grumbach <egrumbach@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
linux-wireless <linux-wireless@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH] mac80211/wpa: use constant time memory comparison for MACs
Date: Sun, 18 Jun 2017 22:44:16 +0200 [thread overview]
Message-ID: <1497818656.2259.1.camel@sipsolutions.net> (raw)
In-Reply-To: <CANUX_P1=8R5E8uk7VsqyAXQvRD52J1XdcL1R6R6GJeM_dv85vw@mail.gmail.com> (sfid-20170618_223154_508671_F7CC4FB5)
On Sun, 2017-06-18 at 23:31 +0300, Emmanuel Grumbach wrote:
> On Sun, Jun 18, 2017 at 10:18 PM, Jason A. Donenfeld <Jason@zx2c4.com
> > wrote:
> > Otherwise, we enable all sorts of forgeries via timing attack.
>
> crypto_memneq's description says:
[...]
> > ---
> > Here's the backport for 3.18.
Yeah, not sure what happened here, but ...
> > #include "ieee80211_i.h"
> > #include "michael.h"
> > @@ -150,7 +151,7 @@ ieee80211_rx_h_michael_mic_verify(struct
> > ieee80211_rx_data *rx)
> > data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
> > key = &rx->key-
> > >conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
> > michael_mic(key, hdr, data, data_len, mic);
> > - if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
> > + if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN) !=
> > 0)
> > goto mic_fail;
This is obviously wrong and not like that in the original,
> > /* remove Michael MIC from payload */
> > @@ -520,7 +521,7 @@ ieee80211_crypto_ccmp_decrypt(struct
> > ieee80211_rx_data *rx)
> >
> > queue = rx->security_idx;
> >
> > - if (memcmp(pn, key->u.ccmp.rx_pn[queue],
> > IEEE80211_CCMP_PN_LEN) <= 0) {
> > + if (crypto_memneq(pn, key->u.ccmp.rx_pn[queue],
> > IEEE80211_CCMP_PN_LEN) <= 0) {
> > key->u.ccmp.replays++;
> > return RX_DROP_UNUSABLE;
> > }
this isn't in the original at all, and clearly shouldn't be here,
> > @@ -771,7 +772,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
> > ieee80211_rx_data *rx)
> > bip_aad(skb, aad);
> > ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
> > skb->data + 24, skb->len - 24,
> > mic);
> > - if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0)
> > {
> > + if (crypto_memneq(mic, mmie->mic, sizeof(mmie-
> > >mic)) != 0) {
and this is just as wrong as the first one.
johannes
next prev parent reply other threads:[~2017-06-18 20:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-17 17:34 FAILED: patch "[PATCH] mac80211/wpa: use constant time memory comparison for MACs" failed to apply to 3.18-stable tree gregkh
2017-06-18 19:18 ` [PATCH] mac80211/wpa: use constant time memory comparison for MACs Jason A. Donenfeld
2017-06-18 20:31 ` Emmanuel Grumbach
2017-06-18 20:44 ` Johannes Berg [this message]
2017-06-19 16:44 ` [PATCH v2 3.18-stable] " Jason A. Donenfeld
2017-06-27 11:32 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497818656.2259.1.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=Jason@zx2c4.com \
--cc=egrumbach@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.