crypto: rsa-pkcs1pad - use constant time memory comparison for MACs

Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld <[email protected]> Suggested-by: Stephan Müller <[email protected]> Cc: [email protected] Cc: Herbert Xu <[email protected]> Cc: [email protected] Signed-off-by: Herbert Xu <[email protected]>
CamonZ · Jun 20, 2017 · fec17cb · fec17cb
1 parent ffe5526
commit fec17cb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
@@ -490,7 +490,7 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
 		goto done;
 	pos++;
 
-	if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
+	if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size))
 		goto done;
 
 	pos += digest_info->size;