[PATCH 0/2] thunderbolt: HMAC fix and cleanup

linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] thunderbolt: HMAC fix and cleanup
@ 2025-07-31 19:25 Eric Biggers
  2025-07-31 19:25 ` [PATCH 1/2] thunderbolt: Compare HMAC values in constant time Eric Biggers
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Biggers @ 2025-07-31 19:25 UTC (permalink / raw)
  To: linux-usb, Andreas Noever, Michael Jamet, Mika Westerberg,
	Yehezkel Bernat, Greg Kroah-Hartman
  Cc: linux-crypto, linux-kernel, Eric Biggers

Patch 1 fixes the HMAC comparison in the thunderbolt driver to be
constant-time.

Patch 2 simplifies the HMAC computation in the thunderbolt driver by
using the library API instead of crypto_shash.  Note that this depends
on the HMAC-SHA256 library API that was merged for v6.17-rc1.

Eric Biggers (2):
  thunderbolt: Compare HMAC values in constant time
  thunderbolt: Use HMAC-SHA256 library instead of crypto_shash

 drivers/thunderbolt/Kconfig  |  4 ++--
 drivers/thunderbolt/domain.c | 45 ++++++------------------------------
 2 files changed, 9 insertions(+), 40 deletions(-)


base-commit: d6084bb815c453de27af8071a23163a711586a6c
-- 
2.50.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] thunderbolt: Compare HMAC values in constant time
  2025-07-31 19:25 [PATCH 0/2] thunderbolt: HMAC fix and cleanup Eric Biggers
@ 2025-07-31 19:25 ` Eric Biggers
  2025-07-31 19:25 ` [PATCH 2/2] thunderbolt: Use HMAC-SHA256 library instead of crypto_shash Eric Biggers
  2025-08-11  5:58 ` [PATCH 0/2] thunderbolt: HMAC fix and cleanup Mika Westerberg
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Biggers @ 2025-07-31 19:25 UTC (permalink / raw)
  To: linux-usb, Andreas Noever, Michael Jamet, Mika Westerberg,
	Yehezkel Bernat, Greg Kroah-Hartman
  Cc: linux-crypto, linux-kernel, Eric Biggers

To prevent timing attacks, HMAC value comparison needs to be constant
time.  Replace the memcmp() with the correct function, crypto_memneq().

Fixes: f67cf491175a ("thunderbolt: Add support for Internal Connection Manager (ICM)")
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 drivers/thunderbolt/domain.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
index 45239703745e5..7e0eb3c07f1c7 100644
--- a/drivers/thunderbolt/domain.c
+++ b/drivers/thunderbolt/domain.c
@@ -11,10 +11,11 @@
 #include <linux/module.h>
 #include <linux/pm_runtime.h>
 #include <linux/slab.h>
 #include <linux/random.h>
 #include <crypto/hash.h>
+#include <crypto/utils.h>
 
 #include "tb.h"
 
 static DEFINE_IDA(tb_domain_ida);
 
@@ -746,11 +747,11 @@ int tb_domain_challenge_switch_key(struct tb *tb, struct tb_switch *sw)
 	ret = crypto_shash_digest(shash, challenge, sizeof(hmac), hmac);
 	if (ret)
 		goto err_free_shash;
 
 	/* The returned HMAC must match the one we calculated */
-	if (memcmp(response, hmac, sizeof(hmac))) {
+	if (crypto_memneq(response, hmac, sizeof(hmac))) {
 		ret = -EKEYREJECTED;
 		goto err_free_shash;
 	}
 
 	crypto_free_shash(tfm);
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] thunderbolt: Use HMAC-SHA256 library instead of crypto_shash
  2025-07-31 19:25 [PATCH 0/2] thunderbolt: HMAC fix and cleanup Eric Biggers
  2025-07-31 19:25 ` [PATCH 1/2] thunderbolt: Compare HMAC values in constant time Eric Biggers
@ 2025-07-31 19:25 ` Eric Biggers
  2025-08-11  5:58 ` [PATCH 0/2] thunderbolt: HMAC fix and cleanup Mika Westerberg
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Biggers @ 2025-07-31 19:25 UTC (permalink / raw)
  To: linux-usb, Andreas Noever, Michael Jamet, Mika Westerberg,
	Yehezkel Bernat, Greg Kroah-Hartman
  Cc: linux-crypto, linux-kernel, Eric Biggers

Use the hmac_sha256_usingrawkey() library function instead of the
"hmac(sha256)" crypto_shash.  This is simpler and faster.

As a cleanup, change the input data parameters from "challenge,
sizeof(hmac)" to "challenge, sizeof(challenge)", so that the size is
being taken of the correct buffer.  This is not a functional change,
since it happens that sizeof(hmac) == sizeof(challenge).

Replace the selection of CRYPTO and CRYPTO_HASH with CRYPTO_LIB_SHA256
and CRYPTO_LIB_UTILS.  The latter is needed for crypto_memneq() which
was previously being pulled in via CRYPTO.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 drivers/thunderbolt/Kconfig  |  4 ++--
 drivers/thunderbolt/domain.c | 44 +++++-------------------------------
 2 files changed, 8 insertions(+), 40 deletions(-)

diff --git a/drivers/thunderbolt/Kconfig b/drivers/thunderbolt/Kconfig
index 0abdb69ee9f43..db3b0bef48f4c 100644
--- a/drivers/thunderbolt/Kconfig
+++ b/drivers/thunderbolt/Kconfig
@@ -2,12 +2,12 @@
 menuconfig USB4
 	tristate "Unified support for USB4 and Thunderbolt"
 	depends on PCI
 	select APPLE_PROPERTIES if EFI_STUB && X86
 	select CRC32
-	select CRYPTO
-	select CRYPTO_HASH
+	select CRYPTO_LIB_SHA256
+	select CRYPTO_LIB_UTILS
 	select NVMEM
 	help
 	  USB4 and Thunderbolt driver. USB4 is the public specification
 	  based on the Thunderbolt 3 protocol. This driver is required if
 	  you want to hotplug Thunderbolt and USB4 compliant devices on
diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
index 7e0eb3c07f1c7..5272c255e046d 100644
--- a/drivers/thunderbolt/domain.c
+++ b/drivers/thunderbolt/domain.c
@@ -10,11 +10,11 @@
 #include <linux/idr.h>
 #include <linux/module.h>
 #include <linux/pm_runtime.h>
 #include <linux/slab.h>
 #include <linux/random.h>
-#include <crypto/hash.h>
+#include <crypto/sha2.h>
 #include <crypto/utils.h>
 
 #include "tb.h"
 
 static DEFINE_IDA(tb_domain_ida);
@@ -707,12 +707,10 @@ int tb_domain_challenge_switch_key(struct tb *tb, struct tb_switch *sw)
 {
 	u8 challenge[TB_SWITCH_KEY_SIZE];
 	u8 response[TB_SWITCH_KEY_SIZE];
 	u8 hmac[TB_SWITCH_KEY_SIZE];
 	struct tb_switch *parent_sw;
-	struct crypto_shash *tfm;
-	struct shash_desc *shash;
 	int ret;
 
 	if (!tb->cm_ops->approve_switch || !tb->cm_ops->challenge_switch_key)
 		return -EPERM;
 
@@ -724,49 +722,19 @@ int tb_domain_challenge_switch_key(struct tb *tb, struct tb_switch *sw)
 	get_random_bytes(challenge, sizeof(challenge));
 	ret = tb->cm_ops->challenge_switch_key(tb, sw, challenge, response);
 	if (ret)
 		return ret;
 
-	tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
-	if (IS_ERR(tfm))
-		return PTR_ERR(tfm);
-
-	ret = crypto_shash_setkey(tfm, sw->key, TB_SWITCH_KEY_SIZE);
-	if (ret)
-		goto err_free_tfm;
-
-	shash = kzalloc(sizeof(*shash) + crypto_shash_descsize(tfm),
-			GFP_KERNEL);
-	if (!shash) {
-		ret = -ENOMEM;
-		goto err_free_tfm;
-	}
-
-	shash->tfm = tfm;
-
-	memset(hmac, 0, sizeof(hmac));
-	ret = crypto_shash_digest(shash, challenge, sizeof(hmac), hmac);
-	if (ret)
-		goto err_free_shash;
+	static_assert(sizeof(hmac) == SHA256_DIGEST_SIZE);
+	hmac_sha256_usingrawkey(sw->key, TB_SWITCH_KEY_SIZE,
+				challenge, sizeof(challenge), hmac);
 
 	/* The returned HMAC must match the one we calculated */
-	if (crypto_memneq(response, hmac, sizeof(hmac))) {
-		ret = -EKEYREJECTED;
-		goto err_free_shash;
-	}
-
-	crypto_free_shash(tfm);
-	kfree(shash);
+	if (crypto_memneq(response, hmac, sizeof(hmac)))
+		return -EKEYREJECTED;
 
 	return tb->cm_ops->approve_switch(tb, sw);
-
-err_free_shash:
-	kfree(shash);
-err_free_tfm:
-	crypto_free_shash(tfm);
-
-	return ret;
 }
 
 /**
  * tb_domain_disconnect_pcie_paths() - Disconnect all PCIe paths
  * @tb: Domain whose PCIe paths to disconnect
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] thunderbolt: HMAC fix and cleanup
  2025-07-31 19:25 [PATCH 0/2] thunderbolt: HMAC fix and cleanup Eric Biggers
  2025-07-31 19:25 ` [PATCH 1/2] thunderbolt: Compare HMAC values in constant time Eric Biggers
  2025-07-31 19:25 ` [PATCH 2/2] thunderbolt: Use HMAC-SHA256 library instead of crypto_shash Eric Biggers
@ 2025-08-11  5:58 ` Mika Westerberg
  2 siblings, 0 replies; 4+ messages in thread
From: Mika Westerberg @ 2025-08-11  5:58 UTC (permalink / raw)
  To: Eric Biggers
  Cc: linux-usb, Andreas Noever, Michael Jamet, Mika Westerberg,
	Yehezkel Bernat, Greg Kroah-Hartman, linux-crypto, linux-kernel

On Thu, Jul 31, 2025 at 12:25:43PM -0700, Eric Biggers wrote:
> Patch 1 fixes the HMAC comparison in the thunderbolt driver to be
> constant-time.
> 
> Patch 2 simplifies the HMAC computation in the thunderbolt driver by
> using the library API instead of crypto_shash.  Note that this depends
> on the HMAC-SHA256 library API that was merged for v6.17-rc1.
> 
> Eric Biggers (2):
>   thunderbolt: Compare HMAC values in constant time
>   thunderbolt: Use HMAC-SHA256 library instead of crypto_shash

Both applied to thunderbolt.git/next, thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-08-11  5:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-31 19:25 [PATCH 0/2] thunderbolt: HMAC fix and cleanup Eric Biggers
2025-07-31 19:25 ` [PATCH 1/2] thunderbolt: Compare HMAC values in constant time Eric Biggers
2025-07-31 19:25 ` [PATCH 2/2] thunderbolt: Use HMAC-SHA256 library instead of crypto_shash Eric Biggers
2025-08-11  5:58 ` [PATCH 0/2] thunderbolt: HMAC fix and cleanup Mika Westerberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).