From: Johannes Berg <johannes@sipsolutions.net>
To: Emmanuel Grumbach <egrumbach@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
linux-wireless <linux-wireless@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH] mac80211/wpa: use constant time memory comparison for MACs
Date: Sun, 18 Jun 2017 22:44:16 +0200 [thread overview]
Message-ID: <1497818656.2259.1.camel@sipsolutions.net> (raw)
In-Reply-To: <CANUX_P1=8R5E8uk7VsqyAXQvRD52J1XdcL1R6R6GJeM_dv85vw@mail.gmail.com> (sfid-20170618_223154_508671_F7CC4FB5)
On Sun, 2017-06-18 at 23:31 +0300, Emmanuel Grumbach wrote:
> On Sun, Jun 18, 2017 at 10:18 PM, Jason A. Donenfeld <Jason@zx2c4.com
> > wrote:
> > Otherwise, we enable all sorts of forgeries via timing attack.
>
> crypto_memneq's description says:
[...]
> > ---
> > Here's the backport for 3.18.
Yeah, not sure what happened here, but ...
> > #include "ieee80211_i.h"
> > #include "michael.h"
> > @@ -150,7 +151,7 @@ ieee80211_rx_h_michael_mic_verify(struct
> > ieee80211_rx_data *rx)
> > data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
> > key = &rx->key-
> > >conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
> > michael_mic(key, hdr, data, data_len, mic);
> > - if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
> > + if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN) !=
> > 0)
> > goto mic_fail;
This is obviously wrong and not like that in the original,
> > /* remove Michael MIC from payload */
> > @@ -520,7 +521,7 @@ ieee80211_crypto_ccmp_decrypt(struct
> > ieee80211_rx_data *rx)
> >
> > queue = rx->security_idx;
> >
> > - if (memcmp(pn, key->u.ccmp.rx_pn[queue],
> > IEEE80211_CCMP_PN_LEN) <= 0) {
> > + if (crypto_memneq(pn, key->u.ccmp.rx_pn[queue],
> > IEEE80211_CCMP_PN_LEN) <= 0) {
> > key->u.ccmp.replays++;
> > return RX_DROP_UNUSABLE;
> > }
this isn't in the original at all, and clearly shouldn't be here,
> > @@ -771,7 +772,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
> > ieee80211_rx_data *rx)
> > bip_aad(skb, aad);
> > ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
> > skb->data + 24, skb->len - 24,
> > mic);
> > - if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0)
> > {
> > + if (crypto_memneq(mic, mmie->mic, sizeof(mmie-
> > >mic)) != 0) {
and this is just as wrong as the first one.
johannes
next prev parent reply other threads:[~2017-06-18 20:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1497720871224217@kroah.com>
2017-06-18 19:18 ` [PATCH] mac80211/wpa: use constant time memory comparison for MACs Jason A. Donenfeld
2017-06-18 20:31 ` Emmanuel Grumbach
2017-06-18 20:44 ` Johannes Berg [this message]
2017-06-19 16:44 ` [PATCH v2 3.18-stable] " Jason A. Donenfeld
2017-06-27 11:32 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497818656.2259.1.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=Jason@zx2c4.com \
--cc=egrumbach@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).