[PATCH 3/5] crypto/ccp: use timing-safe digest comparison

[Stephen Hemminger]

Both the CPU HMAC verify path and the offload digest verify path
compared the computed and expected MAC with memcmp(), which short
circuits on the first mismatching byte and leaks the number of
matching leading bytes through timing.

Use rte_memeq_timingsafe() for both verify comparisons.

Bugzilla ID: 1773
Fixes: 6c561b03b54c ("crypto/ccp: support CPU based MD5 and SHA2 family")
Fixes: 70f0f8a8d78c ("crypto/ccp: support burst enqueue/dequeue")
Cc: stable at dpdk.org

Reported-by: Siraj Luthfi Ananda <sirajluthfi at gmail.com>
Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/crypto/ccp/ccp_crypto.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/ccp/ccp_crypto.c b/drivers/crypto/ccp/ccp_crypto.c
index 5899d83bae..b07a786d8e 100644
--- a/drivers/crypto/ccp/ccp_crypto.c
+++ b/drivers/crypto/ccp/ccp_crypto.c
@@ -1490,8 +1490,8 @@ static int cpu_crypto_auth(struct ccp_qp *qp,
 	}
 
 	if (sess->auth.op == CCP_AUTH_OP_VERIFY) {
-		if (memcmp(dst, op->sym->auth.digest.data,
-			   sess->auth.digest_length) != 0) {
+		if (!rte_memeq_timingsafe(dst, op->sym->auth.digest.data,
+					  sess->auth.digest_length)) {
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		} else {
 			op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
@@ -2801,8 +2801,8 @@ static inline void ccp_auth_dq_prepare(struct rte_crypto_op *op)
 
 	op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 	if (session->auth.op == CCP_AUTH_OP_VERIFY) {
-		if (memcmp(addr + offset, digest_data,
-			   session->auth.digest_length) != 0)
+		if (!rte_memeq_timingsafe(addr + offset, digest_data,
+					  session->auth.digest_length))
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 
 	} else {
-- 
2.53.0