From patchwork Mon Jun 19 16:44:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 9796807 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 29DB960381 for ; Mon, 19 Jun 2017 16:46:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 13AD727E5A for ; Mon, 19 Jun 2017 16:46:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 06B2D27F8F; Mon, 19 Jun 2017 16:46:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C85C27E5A for ; Mon, 19 Jun 2017 16:46:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751036AbdFSQqk (ORCPT ); Mon, 19 Jun 2017 12:46:40 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:58813 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750828AbdFSQqj (ORCPT ); Mon, 19 Jun 2017 12:46:39 -0400 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id de1ca1a4; Mon, 19 Jun 2017 16:44:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references; s=mail; bh=BPA2 xwHUubiwdgX1vHCyoEOb7Sc=; b=wAZKMoUh9w93TLHnm8lQqiSwTKN6LS4qFfwQ CoUwvJVieBo1dAJv92GruRUFxfTgKFzjtIztPyGPBXihKIGOv2mf0fBgbd4mPqli V9+bWzzN4DzFB+7cpI3c32QSansd2zjsCKuYAqlHfhWpHVJXFHjpeL8pjsp5Wc0u WBld5YnE6ZgRktfmTNAFKrBXrjuc6VSTeXeMG/xa03BMombt4O0wQWTWAaxZmWGH adS4SYMAJ7xlov6Oujq0Sm1ysyhtKYhaZ+L/+aHRhzVylMfY1NmDWYFBSNX4ujAI P3dc1mEkv5UiTLpXuYlKmSs8a5eBD52v5PUoUpBSrMnUqBJi1Q== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 7211f191 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 19 Jun 2017 16:44:39 +0000 (UTC) From: "Jason A. Donenfeld" To: gregkh@linuxfoundation.org Cc: "Jason A. Donenfeld" , Johannes Berg , linux-wireless@vger.kernel.org, stable@vger.kernel.org, Johannes Berg Subject: [PATCH v2 3.18-stable] mac80211/wpa: use constant time memory comparison for MACs Date: Mon, 19 Jun 2017 18:44:06 +0200 Message-Id: <20170619164406.23738-1-Jason@zx2c4.com> In-Reply-To: <1497818656.2259.1.camel@sipsolutions.net> References: <1497818656.2259.1.camel@sipsolutions.net> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld Cc: Johannes Berg Cc: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg --- This is for 3.18. Tested this, and it works as intended. net/mac80211/wpa.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index 983527a4c1ab..bf87de469c03 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -16,6 +16,7 @@ #include #include #include +#include #include "ieee80211_i.h" #include "michael.h" @@ -150,7 +151,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) data_len = skb->len - hdrlen - MICHAEL_MIC_LEN; key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY]; michael_mic(key, hdr, data, data_len, mic); - if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0) + if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN)) goto mic_fail; /* remove Michael MIC from payload */ @@ -771,7 +772,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx) bip_aad(skb, aad); ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad, skb->data + 24, skb->len - 24, mic); - if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) { + if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) { key->u.aes_cmac.icverrors++; return RX_DROP_UNUSABLE; }