compl_auth_verify() compared the generated and received MAC with
memcmp(), which returns early on the first differing byte and leaks
the number of matching leading bytes through timing.
Use rte_memeq_timingsafe() for the verify comparison.
Bugzilla ID: 1773
Fixes: 786963fdcf3e ("crypto/cnxk: add digest support")
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
Acked-by: Tejasree Kondoj <[email protected]>
---
drivers/crypto/cnxk/cnxk_ae.h | 4 +++-
drivers/crypto/cnxk/cnxk_se.h | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h
index 691f9bfce5..f2aa5d5a2e 100644
--- a/drivers/crypto/cnxk/cnxk_ae.h
+++ b/drivers/crypto/cnxk/cnxk_ae.h
@@ -8,6 +8,7 @@
#include <rte_common.h>
#include <rte_crypto_asym.h>
#include <rte_malloc.h>
+#include <rte_memory.h>
#include "roc_ae.h"
#include "roc_re.h"
@@ -1921,7 +1922,8 @@ cnxk_ae_dequeue_rsa_op(struct rte_crypto_op *cop, uint8_t
*rptr,
* Offset output data pointer by length field
* (2 bytes) and compare signed data.
*/
- if (memcmp(rptr + 2, rsa->message.data,
rsa->message.length))
+ if (!rte_memeq_timingsafe(rptr + 2,
+ rsa->message.data,
rsa->message.length))
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
break;
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 09d9d1e0e3..3ed32f7ddd 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -3362,7 +3362,7 @@ compl_auth_verify(struct rte_crypto_op *op, uint8_t
*gen_mac, uint64_t mac_len)
return;
}
- if (memcmp(mac, gen_mac, mac_len))
+ if (!rte_memeq_timingsafe(mac, gen_mac, mac_len))
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
--
2.53.0
