[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1508219181.10607.45.camel@sipsolutions.net>
Date: Tue, 17 Oct 2017 07:46:21 +0200
From: Johannes Berg <johannes@...solutions.net>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
linux-wireless@...r.kernel.org
Subject: Re: pull-request: mac80211 2017-10-16
On Tue, 2017-10-17 at 01:30 +0200, Jason A. Donenfeld wrote:
> Mobile phone right now, so not able to write patch, but you probably
> should be using crypto_memneq for comparing those two keys, not
> memcmp.
I know that's a gut instinct, but I really don't see the point.
If you actually get this to evaluate to "equal", you're already being
attacked, and the attacker already knows they're trying to get the same
key to be installed again. If it's not equal, you execute so much code
beneath, going to the driver etc., that I'd think this particular time
is in the noise.
Also, this isn't something that the attacker can directly observe
anyway, and if they can, then surely the fact that we *skip* a large
amount of code when returning 0 is also observable.
Besides, the only thing that can observe the timing is hostapd or
wpa_supplicant, which obviously know the key (and in the fixed versions
will already have done the comparison themselves).
And lastly, if you wanted to use this as an oracle to get the key back
from the kernel, then you already have admin permissions (in your
network namespace), and can just sniff netlink traffic anyway.
johannes
Powered by blists - more mailing lists