[dpdk-dev] [PATCH] crypto/openssl: fix usage of non constant time memcmp for mac and signature
Arek Kusztal
arkadiuszx.kusztal at intel.com
Fri May 31 08:59:28 CEST 2019
ANSI C memcmp is not constant time function per spec so it should
be avoided in cryptography usage.
Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal at intel.com>
---
drivers/crypto/openssl/rte_openssl_pmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6504959..73ce383 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1529,7 +1529,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
- if (memcmp(dst, op->sym->auth.digest.data,
+ if (CRYPTO_memcmp(dst, op->sym->auth.digest.data,
sess->auth.digest_length) != 0) {
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
@@ -1914,7 +1914,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
"Length of public_decrypt %d "
"length of message %zd\n",
ret, op->rsa.message.length);
- if ((ret <= 0) || (memcmp(tmp, op->rsa.message.data,
+ if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
op->rsa.message.length))) {
OPENSSL_LOG(ERR, "RSA sign Verification failed");
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
--
2.1.0
More information about the dev
mailing list