[PATCH 2/5] crypto/uadk: use timing-safe digest comparison

[Stephen Hemminger]

Digest verification used memcmp() to compare the computed and
expected MAC. memcmp() returns as soon as the first differing byte
is found, so its run time depends on how many leading bytes match.
An attacker submitting forged digests can use that timing signal to
recover the correct value one byte at a time.

Use rte_memeq_timingsafe(), whose run time depends only on the
length, for the verify comparison.

Bugzilla ID: 1773
Fixes: aba5b230ca04 ("crypto/uadk: use async mode")
Cc: stable at dpdk.org

Reported-by: Siraj Luthfi Ananda <sirajluthfi at gmail.com>
Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/crypto/uadk/uadk_crypto_pmd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/uadk/uadk_crypto_pmd.c b/drivers/crypto/uadk/uadk_crypto_pmd.c
index 3c4e83e56f..221ad546da 100644
--- a/drivers/crypto/uadk/uadk_crypto_pmd.c
+++ b/drivers/crypto/uadk/uadk_crypto_pmd.c
@@ -1111,8 +1111,8 @@ uadk_crypto_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops,
 		if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
 			uint8_t *dst = qp->temp_digest[i % BURST_MAX];
 
-			if (memcmp(dst, op->sym->auth.digest.data,
-				   sess->auth.digest_length) != 0)
+			if (!rte_memeq_timingsafe(dst, op->sym->auth.digest.data,
+						  sess->auth.digest_length))
 				op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		}
 
-- 
2.53.0