Am Samstag, 10. Juni 2017, 04:59:06 CEST schrieb Jason A. Donenfeld: Hi Jason, > Whenever you're comparing two MACs, it's important to do this using > crypto_memneq instead of memcmp. With memcmp, you leak timing information, > which could then be used to iteratively forge a MAC. This is far too basic > of a mistake for us to have so pervasively in the year 2017, so let's begin > cleaning this stuff up. The following 6 locations were found with some > simple regex greps, but I'm sure more lurk below the surface. If you > maintain some code or know somebody who maintains some code that deals > with MACs, tell them to double check which comparison function they're > using. Are you planning to send an update to your patch set? If yes, there is another one which should be converted too: crypto/rsa-pkcs1pad.c. Otherwise, I will send a patch converting this one. Thanks. Ciao Stephan