compl_auth_verify() compared the generated and received MAC with
memcmp(), which returns early on the first differing byte and leaks
the number of matching leading bytes through timing.
Use rte_memeq_timingsafe() for the verify comparison.
Bugzilla ID: 1773
Fixes: 786963fdcf3e ("crypto/cnxk: add digest support")
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/crypto/cnxk/cnxk_se.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 8dbf3e73c7..d2306a9daf 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -3282,7 +3282,7 @@ compl_auth_verify(struct rte_crypto_op *op, uint8_t
*gen_mac, uint64_t mac_len)
return;
}
- if (memcmp(mac, gen_mac, mac_len))
+ if (!rte_memeq_timingsafe(mac, gen_mac, mac_len))
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
--
2.53.0
