[EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Akhil Goyal]

> Add rte_consttime_memcmp() to prevent timing attacks in cryptographic
> digest verification operations.
> 
> Replace memcmp() with rte_consttime_memcmp() in cryptographic
> authentication verification operations across multiple crypto drivers:
> 
> * ipsec_mb
> * scheduler
> 
> Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
> provides equivalent timing attack resistance and is left unchanged.
> 
> Bugzilla ID: 1773
> Cc: stable at dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji at intel.com>


> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index eaf0e50d37..77f10fbf88 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -78,6 +78,29 @@ extern int rte_cryptodev_logtype;
>  #define rte_crypto_op_ctophys_offset(c, o)	\
>  	(rte_iova_t)((c)->phys_addr + (o))
> 
> +/**
> + * Constant-time memory comparison for cryptographic use.
> + * Returns 0 if the memory regions are equal, nonzero otherwise.
> + * Runs in constant time with respect to the length to prevent timing attacks.
> + *
> + * @param a
> + *   Pointer to the first memory region.
> + * @param b
> + *   Pointer to the second memory region.
> + * @param n
> + *   Number of bytes to compare.
> + * @return
> + *   0 if memory regions are equal, nonzero otherwise.
> + */
> +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> +	uint8_t __result = 0; \
> +	for (size_t __i = 0; __i < (n); __i++) \
> +		__result |= __pa[__i] ^ __pb[__i]; \
> +	__result; \
> +})
> +
>  /**
>   * Crypto parameters range description
>   */

I believe this is not the right place to add this define. It should be somewhere in common eal if it is already not there.

++ Thomas, Stephen, Bruce, David.