Digest verification used memcmp() to compare the computed and
expected MAC. memcmp() returns as soon as the first differing byte
is found, so its run time depends on how many leading bytes match.
An attacker submitting forged digests can use that timing signal to
recover the correct value one byte at a time.
Use rte_memeq_timingsafe(), whose run time depends only on the
length, for the verify comparison.
Bugzilla ID: 1773
Fixes: aba5b230ca04 ("crypto/uadk: use async mode")
Cc: [email protected]
Reported-by: Siraj Luthfi Ananda <[email protected]>
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/crypto/uadk/uadk_crypto_pmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/uadk/uadk_crypto_pmd.c
b/drivers/crypto/uadk/uadk_crypto_pmd.c
index 3c4e83e56f..221ad546da 100644
--- a/drivers/crypto/uadk/uadk_crypto_pmd.c
+++ b/drivers/crypto/uadk/uadk_crypto_pmd.c
@@ -1111,8 +1111,8 @@ uadk_crypto_dequeue_burst(void *queue_pair, struct
rte_crypto_op **ops,
if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
uint8_t *dst = qp->temp_digest[i % BURST_MAX];
- if (memcmp(dst, op->sym->auth.digest.data,
- sess->auth.digest_length) != 0)
+ if (!rte_memeq_timingsafe(dst,
op->sym->auth.digest.data,
+ sess->auth.digest_length))
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
--
2.53.0
