* [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time [not found] <20250731212354.105044-1-ebiggers@kernel.org> @ 2025-07-31 21:23 ` Eric Biggers 2025-08-05 13:44 ` Jarkko Sakkinen 0 siblings, 1 reply; 5+ messages in thread From: Eric Biggers @ 2025-07-31 21:23 UTC (permalink / raw) To: James Bottomley, Jarkko Sakkinen, Mimi Zohar, keyrings Cc: David Howells, linux-integrity, linux-crypto, linux-kernel, Eric Biggers, stable To prevent timing attacks, HMAC value comparison needs to be constant time. Replace the memcmp() with the correct function, crypto_memneq(). Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> --- security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 89c9798d18007..e73f2c6c817a0 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -5,10 +5,11 @@ * * See Documentation/security/keys/trusted-encrypted.rst */ #include <crypto/hash_info.h> +#include <crypto/utils.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/parser.h> #include <linux/string.h> #include <linux/err.h> @@ -239,11 +240,11 @@ int TSS_checkhmac1(unsigned char *buffer, TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 1, continueflag, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } @@ -332,20 +333,20 @@ static int TSS_checkhmac2(unsigned char *buffer, ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce1, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ret = -EINVAL; goto out; } ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce2, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } base-commit: d6084bb815c453de27af8071a23163a711586a6c -- 2.50.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-07-31 21:23 ` [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time Eric Biggers @ 2025-08-05 13:44 ` Jarkko Sakkinen 2025-08-05 17:32 ` Eric Biggers 0 siblings, 1 reply; 5+ messages in thread From: Jarkko Sakkinen @ 2025-08-05 13:44 UTC (permalink / raw) To: Eric Biggers Cc: James Bottomley, Mimi Zohar, keyrings, David Howells, linux-integrity, linux-crypto, linux-kernel, stable On Thu, Jul 31, 2025 at 02:23:52PM -0700, Eric Biggers wrote: > To prevent timing attacks, HMAC value comparison needs to be constant > time. Replace the memcmp() with the correct function, crypto_memneq(). > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@kernel.org> Was crypto_memneq() available at the time? > --- > security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > index 89c9798d18007..e73f2c6c817a0 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -5,10 +5,11 @@ > * > * See Documentation/security/keys/trusted-encrypted.rst > */ > > #include <crypto/hash_info.h> > +#include <crypto/utils.h> > #include <linux/init.h> > #include <linux/slab.h> > #include <linux/parser.h> > #include <linux/string.h> > #include <linux/err.h> > @@ -239,11 +240,11 @@ int TSS_checkhmac1(unsigned char *buffer, > TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, > 1, continueflag, 0, 0); > if (ret < 0) > goto out; > > - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) > + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) > ret = -EINVAL; > out: > kfree_sensitive(sdesc); > return ret; > } > @@ -332,20 +333,20 @@ static int TSS_checkhmac2(unsigned char *buffer, > ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, > paramdigest, TPM_NONCE_SIZE, enonce1, > TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); > if (ret < 0) > goto out; > - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { > + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { > ret = -EINVAL; > goto out; > } > ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, > paramdigest, TPM_NONCE_SIZE, enonce2, > TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); > if (ret < 0) > goto out; > - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) > + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) > ret = -EINVAL; > out: > kfree_sensitive(sdesc); > return ret; > } > > base-commit: d6084bb815c453de27af8071a23163a711586a6c > -- > 2.50.1 > BR, Jarkko ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-08-05 13:44 ` Jarkko Sakkinen @ 2025-08-05 17:32 ` Eric Biggers 2025-08-09 10:37 ` Jarkko Sakkinen 0 siblings, 1 reply; 5+ messages in thread From: Eric Biggers @ 2025-08-05 17:32 UTC (permalink / raw) To: Jarkko Sakkinen Cc: James Bottomley, Mimi Zohar, keyrings, David Howells, linux-integrity, linux-crypto, linux-kernel, stable On Tue, Aug 05, 2025 at 04:44:27PM +0300, Jarkko Sakkinen wrote: > On Thu, Jul 31, 2025 at 02:23:52PM -0700, Eric Biggers wrote: > > To prevent timing attacks, HMAC value comparison needs to be constant > > time. Replace the memcmp() with the correct function, crypto_memneq(). > > > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > > Cc: stable@vger.kernel.org > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > > Was crypto_memneq() available at the time? No. The Fixes commit is still correct, though, as it's the commit that introduced the memcmp(). Technically it was still a bug at that time, even if there wasn't a helper function available yet. - Eric ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-08-05 17:32 ` Eric Biggers @ 2025-08-09 10:37 ` Jarkko Sakkinen 2025-08-09 17:21 ` Eric Biggers 0 siblings, 1 reply; 5+ messages in thread From: Jarkko Sakkinen @ 2025-08-09 10:37 UTC (permalink / raw) To: Eric Biggers Cc: James Bottomley, Mimi Zohar, keyrings, David Howells, linux-integrity, linux-crypto, linux-kernel, stable On Tue, Aug 05, 2025 at 10:32:27AM -0700, Eric Biggers wrote: > On Tue, Aug 05, 2025 at 04:44:27PM +0300, Jarkko Sakkinen wrote: > > On Thu, Jul 31, 2025 at 02:23:52PM -0700, Eric Biggers wrote: > > > To prevent timing attacks, HMAC value comparison needs to be constant > > > time. Replace the memcmp() with the correct function, crypto_memneq(). > > > > > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > > > > Was crypto_memneq() available at the time? > > No. The Fixes commit is still correct, though, as it's the commit that > introduced the memcmp(). Technically it was still a bug at that time, > even if there wasn't a helper function available yet. Add a remark to the commit message. > > - Eric BR, Jarkko ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-08-09 10:37 ` Jarkko Sakkinen @ 2025-08-09 17:21 ` Eric Biggers 0 siblings, 0 replies; 5+ messages in thread From: Eric Biggers @ 2025-08-09 17:21 UTC (permalink / raw) To: Jarkko Sakkinen Cc: James Bottomley, Mimi Zohar, keyrings, David Howells, linux-integrity, linux-crypto, linux-kernel, stable On Sat, Aug 09, 2025 at 01:37:49PM +0300, Jarkko Sakkinen wrote: > On Tue, Aug 05, 2025 at 10:32:27AM -0700, Eric Biggers wrote: > > On Tue, Aug 05, 2025 at 04:44:27PM +0300, Jarkko Sakkinen wrote: > > > On Thu, Jul 31, 2025 at 02:23:52PM -0700, Eric Biggers wrote: > > > > To prevent timing attacks, HMAC value comparison needs to be constant > > > > time. Replace the memcmp() with the correct function, crypto_memneq(). > > > > > > > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > > > > > > Was crypto_memneq() available at the time? > > > > No. The Fixes commit is still correct, though, as it's the commit that > > introduced the memcmp(). Technically it was still a bug at that time, > > even if there wasn't a helper function available yet. > > Add a remark to the commit message. I don't know what the point is (both commits are over a decade old), but sure I did that in v2. - Eric ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-08-09 17:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250731212354.105044-1-ebiggers@kernel.org>
2025-07-31 21:23 ` [PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time Eric Biggers
2025-08-05 13:44 ` Jarkko Sakkinen
2025-08-05 17:32 ` Eric Biggers
2025-08-09 10:37 ` Jarkko Sakkinen
2025-08-09 17:21 ` Eric Biggers
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox