[PATCH 4/5] crypto/armv8: use timing-safe digest comparison

[Jack Bond-Preston]

Acked-by: Jack Bond-Preston <jack.bond-preston at foss.arm.com>

On 25/06/2026 16:56, Stephen Hemminger wrote:
> The chained-op verify path compared the computed and expected MAC
> with memcmp(), whose run time depends on the number of matching
> leading bytes and can leak the digest to an attacker submitting
> forged values.
> 
> Use rte_memeq_timingsafe() for the verify comparison.
> 
> Bugzilla ID: 1773
> Fixes: 169ca3db550c ("crypto/armv8: add PMD optimized for ARMv8 processors")
> Cc: stable at dpdk.org
> 
> Reported-by: Siraj Luthfi Ananda <sirajluthfi at gmail.com>
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
> ---
>   drivers/crypto/armv8/rte_armv8_pmd.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/crypto/armv8/rte_armv8_pmd.c b/drivers/crypto/armv8/rte_armv8_pmd.c
> index 320e2d4b3b..a7caac186d 100644
> --- a/drivers/crypto/armv8/rte_armv8_pmd.c
> +++ b/drivers/crypto/armv8/rte_armv8_pmd.c
> @@ -631,8 +631,8 @@ process_armv8_chained_op(struct armv8_crypto_qp *qp, struct rte_crypto_op *op,
>   
>   	op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
>   	if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
> -		if (memcmp(adst, op->sym->auth.digest.data,
> -				sess->auth.digest_length) != 0) {
> +		if (!rte_memeq_timingsafe(adst, op->sym->auth.digest.data,
> +					  sess->auth.digest_length)) {
>   			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
>   		}
>   	}