* [PATCH v2 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time [not found] <20250809171941.5497-1-ebiggers@kernel.org> @ 2025-08-09 17:19 ` Eric Biggers 2025-08-12 16:23 ` Jarkko Sakkinen 0 siblings, 1 reply; 2+ messages in thread From: Eric Biggers @ 2025-08-09 17:19 UTC (permalink / raw) To: James Bottomley, Jarkko Sakkinen, Mimi Zohar, keyrings Cc: David Howells, linux-integrity, linux-crypto, linux-kernel, Eric Biggers, stable To prevent timing attacks, HMAC value comparison needs to be constant time. Replace the memcmp() with the correct function, crypto_memneq(). [For the Fixes commit I used the commit that introduced the memcmp(). It predates the introduction of crypto_memneq(), but it was still a bug at the time even though a helper function didn't exist yet.] Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> --- security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 89c9798d18007..e73f2c6c817a0 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -5,10 +5,11 @@ * * See Documentation/security/keys/trusted-encrypted.rst */ #include <crypto/hash_info.h> +#include <crypto/utils.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/parser.h> #include <linux/string.h> #include <linux/err.h> @@ -239,11 +240,11 @@ int TSS_checkhmac1(unsigned char *buffer, TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 1, continueflag, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } @@ -332,20 +333,20 @@ static int TSS_checkhmac2(unsigned char *buffer, ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce1, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ret = -EINVAL; goto out; } ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce2, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } -- 2.50.1 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-08-09 17:19 ` [PATCH v2 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time Eric Biggers @ 2025-08-12 16:23 ` Jarkko Sakkinen 0 siblings, 0 replies; 2+ messages in thread From: Jarkko Sakkinen @ 2025-08-12 16:23 UTC (permalink / raw) To: Eric Biggers Cc: James Bottomley, Mimi Zohar, keyrings, David Howells, linux-integrity, linux-crypto, linux-kernel, stable On Sat, Aug 09, 2025 at 10:19:39AM -0700, Eric Biggers wrote: > To prevent timing attacks, HMAC value comparison needs to be constant > time. Replace the memcmp() with the correct function, crypto_memneq(). > > [For the Fixes commit I used the commit that introduced the memcmp(). > It predates the introduction of crypto_memneq(), but it was still a bug > at the time even though a helper function didn't exist yet.] > > Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > --- > security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c > index 89c9798d18007..e73f2c6c817a0 100644 > --- a/security/keys/trusted-keys/trusted_tpm1.c > +++ b/security/keys/trusted-keys/trusted_tpm1.c > @@ -5,10 +5,11 @@ > * > * See Documentation/security/keys/trusted-encrypted.rst > */ > > #include <crypto/hash_info.h> > +#include <crypto/utils.h> > #include <linux/init.h> > #include <linux/slab.h> > #include <linux/parser.h> > #include <linux/string.h> > #include <linux/err.h> > @@ -239,11 +240,11 @@ int TSS_checkhmac1(unsigned char *buffer, > TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, > 1, continueflag, 0, 0); > if (ret < 0) > goto out; > > - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) > + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) > ret = -EINVAL; > out: > kfree_sensitive(sdesc); > return ret; > } > @@ -332,20 +333,20 @@ static int TSS_checkhmac2(unsigned char *buffer, > ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, > paramdigest, TPM_NONCE_SIZE, enonce1, > TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); > if (ret < 0) > goto out; > - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { > + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { > ret = -EINVAL; > goto out; > } > ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, > paramdigest, TPM_NONCE_SIZE, enonce2, > TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); > if (ret < 0) > goto out; > - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) > + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) > ret = -EINVAL; > out: > kfree_sensitive(sdesc); > return ret; > } > -- > 2.50.1 > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-12 16:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250809171941.5497-1-ebiggers@kernel.org>
2025-08-09 17:19 ` [PATCH v2 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time Eric Biggers
2025-08-12 16:23 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox