From: Daniel Hodges <hodgesd@meta.com>
To: Ignat Korchagin <ignat@cloudflare.com>
Cc: Eric Biggers <ebiggers@kernel.org>,
David Howells <dhowells@redhat.com>,
Lukas Wunner <lukas@wunner.de>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
<keyrings@vger.kernel.org>, <linux-crypto@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] crypto: pkcs7 - use constant-time digest comparison
Date: Sun, 1 Feb 2026 05:07:38 -0800 [thread overview]
Message-ID: <aX9P2Y4AUuetwIPF@fb.com> (raw)
In-Reply-To: <CALrw=nG0Pj1W-bZ6qQax0WnxSayCtYx97ivRuQMsVZHbsQZong@mail.gmail.com>
On Sun, Feb 01, 2026 at 11:55:26AM +0100, Ignat Korchagin wrote:
> On Sun, Feb 1, 2026 at 5:41 AM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Sat, Jan 31, 2026 at 07:55:03PM -0800, Daniel Hodges wrote:
> > > This creates a timing side-channel that could allow an
> > > attacker to forge valid signatures by measuring verification time
> > > and recovering the expected digest value byte-by-byte.
> >
> > Good luck with that. The memcmp just checks that the CMS object
> > includes the hash of the data as a signed attribute. It's a consistency
> > check of two attacker-controlled values, which happens before the real
> > signature check. You may be confusing it with a MAC comparison.
>
> On top of that the CMS object and the hash inside is "public", so even
> if you have state-of-the-art quantum computer thing you can just take
> the object and forge the signature "offline"
>
> > - Eric
I just went through the code flow again and that makes sense, sorry
about that!
prev parent reply other threads:[~2026-02-01 13:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-01 3:55 [PATCH] crypto: pkcs7 - use constant-time digest comparison Daniel Hodges
2026-02-01 4:41 ` Eric Biggers
2026-02-01 10:55 ` Ignat Korchagin
2026-02-01 13:07 ` Daniel Hodges [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aX9P2Y4AUuetwIPF@fb.com \
--to=hodgesd@meta.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox