linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* crypto_memneq not backported to 3.10
@ 2017-04-09 12:59 Jason A. Donenfeld
  2017-04-09 13:25 ` Willy Tarreau
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-04-09 12:59 UTC (permalink / raw)
  To: Willy Tarreau, stable; +Cc: LKML, Linux Crypto Mailing List

Hey Willy,

Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
mac comparisons use non constant-time comparisons. Bad news bears.

3.12 got these backported with
d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
suggest following suit, since many people are relying on this kernel
to do safe crypto.

Thanks,
Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: crypto_memneq not backported to 3.10
  2017-04-09 12:59 crypto_memneq not backported to 3.10 Jason A. Donenfeld
@ 2017-04-09 13:25 ` Willy Tarreau
  2017-05-01 14:30   ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Willy Tarreau @ 2017-04-09 13:25 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: stable, LKML, Linux Crypto Mailing List

Hi Jason,

On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> Hey Willy,
> 
> Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> mac comparisons use non constant-time comparisons. Bad news bears.
> 
> 3.12 got these backported with
> d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> suggest following suit, since many people are relying on this kernel
> to do safe crypto.

Interesting. I remembered seeing some crypto_memneq stuff in the past,
and in fact there was one patch talking about this but trimmed down to
only affect other parts since crypto_memneq is indeed not part of 3.10.

I'll check if the 3.12 patches above can be safely backported, and I'll
have to re-apply the missing part of the one that was trimmed down
(commit 620c411 ("crypto: more robust crypto_memneq")).

Thanks!
Willy

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: crypto_memneq not backported to 3.10
  2017-04-09 13:25 ` Willy Tarreau
@ 2017-05-01 14:30   ` Jason A. Donenfeld
  2017-05-01 14:48     ` Willy Tarreau
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-05-01 14:30 UTC (permalink / raw)
  To: Willy Tarreau; +Cc: stable, LKML, Linux Crypto Mailing List, security

Hey Willy,

On Sun, Apr 9, 2017 at 3:25 PM, Willy Tarreau <w@1wt.eu> wrote:
>
> Hi Jason,
>
> On Sun, Apr 09, 2017 at 02:59:53PM +0200, Jason A. Donenfeld wrote:
> > Hey Willy,
> >
> > Linux 3.10 is inexplicably missing crypto_memneq, making all crypto
> > mac comparisons use non constant-time comparisons. Bad news bears.
> >
> > 3.12 got these backported with
> > d68e944a8fcb2c6212b38064771c9f5af7b0b92c,
> > afe5a791d374e50a06ada7f4eda4e921e1b77996, and possibly others. I'd
> > suggest following suit, since many people are relying on this kernel
> > to do safe crypto.
>
> Interesting. I remembered seeing some crypto_memneq stuff in the past,
> and in fact there was one patch talking about this but trimmed down to
> only affect other parts since crypto_memneq is indeed not part of 3.10.
>
> I'll check if the 3.12 patches above can be safely backported, and I'll
> have to re-apply the missing part of the one that was trimmed down
> (commit 620c411 ("crypto: more robust crypto_memneq")).

I'm vaguely wondering if you ever decided on backporting this. After I
reported the issue to Ubiquiti -- a random vendor doing ipsec with
3.10 -- they actually released a backport of these functions in a
security update for their stuff. So I imagine others might want this
sort of thing too.

Jason

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: crypto_memneq not backported to 3.10
  2017-05-01 14:30   ` Jason A. Donenfeld
@ 2017-05-01 14:48     ` Willy Tarreau
  0 siblings, 0 replies; 4+ messages in thread
From: Willy Tarreau @ 2017-05-01 14:48 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: stable, LKML, Linux Crypto Mailing List, security

Hi Jason,

On Mon, May 01, 2017 at 04:30:01PM +0200, Jason A. Donenfeld wrote:
> > I'll check if the 3.12 patches above can be safely backported, and I'll
> > have to re-apply the missing part of the one that was trimmed down
> > (commit 620c411 ("crypto: more robust crypto_memneq")).
> 
> I'm vaguely wondering if you ever decided on backporting this. After I
> reported the issue to Ubiquiti -- a random vendor doing ipsec with
> 3.10 -- they actually released a backport of these functions in a
> security update for their stuff. So I imagine others might want this
> sort of thing too.

I'll do it. It just happens that I've been quite busy lately so
no new 3.10 was released since you reported this ~1 month ago. I'll
get back to this ASAP.

Thanks for the heads up,
Willy

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-01 14:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-09 12:59 crypto_memneq not backported to 3.10 Jason A. Donenfeld
2017-04-09 13:25 ` Willy Tarreau
2017-05-01 14:30   ` Jason A. Donenfeld
2017-05-01 14:48     ` Willy Tarreau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).