The chained-op verify path compared the computed and expected MAC
with memcmp(), whose run time depends on the number of matching
leading bytes and can leak the digest to an attacker submitting
forged values.
Use rte_memeq_timingsafe() for the verify comparison.
Bugzilla ID: 1773
Fixes: 169ca3db550c ("crypto/armv8: add PMD optimized for ARMv8 processors")
Cc: [email protected]
Reported-by: Siraj Luthfi Ananda <[email protected]>
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/crypto/armv8/rte_armv8_pmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/armv8/rte_armv8_pmd.c
b/drivers/crypto/armv8/rte_armv8_pmd.c
index 320e2d4b3b..a7caac186d 100644
--- a/drivers/crypto/armv8/rte_armv8_pmd.c
+++ b/drivers/crypto/armv8/rte_armv8_pmd.c
@@ -631,8 +631,8 @@ process_armv8_chained_op(struct armv8_crypto_qp *qp, struct
rte_crypto_op *op,
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
- if (memcmp(adst, op->sym->auth.digest.data,
- sess->auth.digest_length) != 0) {
+ if (!rte_memeq_timingsafe(adst, op->sym->auth.digest.data,
+ sess->auth.digest_length)) {
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
}
--
2.53.0
