From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2313733A014 for ; Mon, 13 Jul 2026 21:23:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783977819; cv=none; b=r7J6uAdW3Zc/DYsOUyZo5fHCJnhkjapIYAJrAvZcTtqyHh8SSrRPpg1g7FSax7qNk1TBZqD9xQBtj7cOujB6a9A3oEfe+9DR4tb/b9wAryh75NQcig9kG3mE0rRGa4kj6SA6urazODwX69yIv1U07G+T3fMVN7/l85Yk7anR31Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783977819; c=relaxed/simple; bh=Mk2t8nzgYJzLwlkNud85cE38NzovhsoQrscNbszw33o=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Vyv0AeGyQZ0pQto4LZ0/AxaiIAMaXCGjK+AuvcJrqAxBTcxQcoBW4fvE9nWoXipnv7U1pSJ3ETIxT2yPlBLWncHoUNA+xplMzFtZPEfn1Z2ASwKZwAp49FJ/CsqhGAHqIB5wyjeRK0iUByFDE8nsc53lp37yU5iMCAnvfDioVMs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=nU5AVbYd; arc=none smtp.client-ip=209.85.218.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="nU5AVbYd" Received: by mail-ej1-f53.google.com with SMTP id a640c23a62f3a-c15fd3a299eso55621966b.2 for ; Mon, 13 Jul 2026 14:23:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20251104; t=1783977816; x=1784582616; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=otBwmNaHaQM26sxlH4S7rvsrxllaQCtHmYJAwTDxIaM=; b=nU5AVbYdOk14ul97B2TpMQT9P63laTWKwu3Hj+jxnFVLxxsDqAWex0fZg+38F58Tip 9US0CLactf0EmTXF1Xg+EC0JNNFhFvQYCcfpA8ac40NTafUUIrJOnBdLQJCIR0A18pUL PNNif1KiHpS/AENraiEXM0FcSlpWORWwLGtUlA/wyxJrBwE9yWu0LeqsUS5vyyE/kxt0 6d6nLRGsNvTQWOx2Kmm7wkF5bp6fSyMuGNeFm3703n44UjZcaYZbIqe5Dby/Y0mLE6ln YJPmsCb/rm7mz7l+q5QdexVjMVuAM1jl0qGtH6lmPPohdq2G9POwqjFxMPonNoIaPfIg sWBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783977816; x=1784582616; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=otBwmNaHaQM26sxlH4S7rvsrxllaQCtHmYJAwTDxIaM=; b=Ogs343ftCYQIv9+YMEVOG9HklA7CGVBEAJefD/o4zwzCh7IWhqZKHq9mWJhZCooXqM uY89kVp1IT7/o7hx+9uzNy/hlTOosCEU+zCAvO4j+p3n+utsIyoYz9vJ5OkNQ/I8Jhdl JuMOIwdFHGxsqJikHRGaIckKWvnsVYyxctNb0udIQQ2BVAeZAsKkM5T2+ngj6JWfXYni 3blxEloOK57go6BGQGSoRgtrR5hzcqvJRaCYpFaUwuChfsjNT9M2A7379U5J4QFCqEY8 5qDs3H7m744BEV4tMlTj177NKEjSRarAWFJE577FtNqH+TSzmBSOnX6qtHng/i6tlizn mF2Q== X-Forwarded-Encrypted: i=1; AHgh+RqKmE1nexpGfQwCDUluudx40wD0LhEm81Hwdp87x+av4lboVSgS9i2Dn0PDXzrg4WM4AFErKJHIv2z3yk4=@vger.kernel.org X-Gm-Message-State: AOJu0YwYpmCMDvKINyst0kIrVFpYK5CwKKnZnzGqiTB+5NXW43BMIOwH vMMorMucG2odlMfIe5fF/rOrcYhuB5T6Rg4tkQ58bqnTRugGVUkcFiNCw0q2QBNy1D/gLQ== X-Gm-Gg: AfdE7cmLg6gV2vR/gxsQ6WkBQ06aExXqneybXpSxfd1gWbQrGnnlEYDtLLjPDjFaV4O R4kAON8IEGMUXjZLcyRmYB3i/TDKDOwih26dn5YRVrrv1Bqmra8wQOCq1Otwyf7GekkXhcpywBL Xk4odG3GG99encpQlT4y00CwAoBvkBP+NmgRRjnegXTpCBxJp5p/1XTt+uX1STMflwElgAYdXka jsDJwxyDVheyDPpkWm28EZxfi5iN1W/eJaAgQuqlDc1wZvXE3ZUVQQRNp4DWb2qkVb7tjv3PNDa ShqT5qa1JrB7PT4EVwFJn9Ir0woxA6OJTel+hKEsAZLKprJ+7d+IpIiz49A9mB8nHy/KsM1ckLV z5BBGWzIZVUtlBuGxKIFL/TGy4KUrMqrrHOMH1m4aKlxHqAw1JUDtJCUT58hMQ6PRHCf2TpW3Id lcRetA1Ktek0j+GX2KR8uOtZtAvrAovS+pynerbspasfKCx0YMs7s= X-Received: by 2002:a17:907:268c:b0:c15:f029:63a5 with SMTP id a640c23a62f3a-c161f393b9emr486403266b.50.1783977816462; Mon, 13 Jul 2026 14:23:36 -0700 (PDT) Received: from fudgebox (k10193.upc-k.chello.nl. [62.108.10.193]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c15c1470325sm910975566b.14.2026.07.13.14.23.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jul 2026 14:23:35 -0700 (PDT) Date: Mon, 13 Jul 2026 23:23:04 +0200 From: David Gall To: James Bottomley Cc: David Howells , Lukas Wunner , Ignat Korchagin , Herbert Xu , "David S. Miller" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org Subject: Re: [PATCH] crypto: pkcs7_verify: use constant-time comparison for digest and signature verification Message-ID: References: <8607c6f25d3bad7601665bc4c4ce528e9f4cabef.camel@HansenPartnership.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8607c6f25d3bad7601665bc4c4ce528e9f4cabef.camel@HansenPartnership.com> On Fri, Jul 10, 2026 at 01:56:51PM -0400, James Bottomley wrote: > On Fri, 2026-07-10 at 19:30 +0200, David C.C.M. Gall wrote: > > Replace memcmp() with crypto_memneq() for cryptographic digest and > > signature comparisons to prevent timing side-channel attacks. > > > > crypto/asymmetric_keys/pkcs7_verify.c: PKCS#7 message digest > > comparison during signature verification passes argument pkcs7 and > > attached signatures to pkcs7_digest via pkcs7_verify_one. > > pkcs7_digest utilized memcmp which could leak valid prefix length for > > attached signatures via timing side-channel. > > Please explain how this information is usable by an attacker? The > assumption is the attacker sees the module (or whatever is signed) so > the pkcs7 digest is inside the signature in plain text and the digest > of the entity being compared should be computable by any attacker. > > Regards, > > James > Looking into the usage of these methods a bit deeper, I agree with you that an attacker does not gain any useful information. I double checked and the method in question is also used as part of IMA modsig collection during the measurement collection process, but there too the method is not used to verify a signature, just to generate a hash, so the comparison itself is never reached in that path. In that case, I'd actually drop this patch. The only affected paths don't disclose anything useful to an attacker that can't already be computed by just examining the content. David