Re: [PATCH 0/2] Timing leaks in certain HW-crypto drivers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Nov 15, 2015 at 05:14:40PM +0100, David Gstir wrote:
> [resend to linux-crypto]
> 
> Hi,
> 
> the following patches fix timing leaks which are introduced by using
> (non-constant time) memcmp() to verify cryptograhic authentication tags.
> Specifically, the AES-GCM and AES-CCM implementations in the IBM Power
> in-Nest Crypto acceleration driver and the AEAD decryption function in the
> Freescale SEC (talitos) driver are vulnerable to this kind of attack.
> These timing leaks can be used by an attacker to find the correct
> authentication tag value for arbitrary messages with far less effort
> than brute-force testing all 2^n possible values for a n-bit tag.
> 
> The fix is rather simple: Use crypto_memneq() as the generic implementations
> in crypto/* already do.

Both patches applied.

Thanks,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux