On Sun, Nov 15, 2015 at 05:14:40PM +0100, David Gstir wrote: > [resend to linux-crypto] > > Hi, > > the following patches fix timing leaks which are introduced by using > (non-constant time) memcmp() to verify cryptograhic authentication tags. > Specifically, the AES-GCM and AES-CCM implementations in the IBM Power > in-Nest Crypto acceleration driver and the AEAD decryption function in the > Freescale SEC (talitos) driver are vulnerable to this kind of attack. > These timing leaks can be used by an attacker to find the correct > authentication tag value for arbitrary messages with far less effort > than brute-force testing all 2^n possible values for a n-bit tag. > > The fix is rather simple: Use crypto_memneq() as the generic implementations > in crypto/* already do. Both patches applied. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html