[PATCH v2 5/6] crypto/cnxk: use timing-safe digest comparison

Stephen Hemminger stephen at networkplumber.org
Mon Jun 29 20:59:28 CEST 2026


compl_auth_verify() compared the generated and received MAC with
memcmp(), which returns early on the first differing byte and leaks
the number of matching leading bytes through timing.

Use rte_memeq_timingsafe() for the verify comparison.

Bugzilla ID: 1773
Fixes: 786963fdcf3e ("crypto/cnxk: add digest support")
Cc: stable at dpdk.org

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Acked-by: Tejasree Kondoj <ktejasree at marvell.com>
---
 drivers/crypto/cnxk/cnxk_ae.h | 4 +++-
 drivers/crypto/cnxk/cnxk_se.h | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h
index 691f9bfce5..f2aa5d5a2e 100644
--- a/drivers/crypto/cnxk/cnxk_ae.h
+++ b/drivers/crypto/cnxk/cnxk_ae.h
@@ -8,6 +8,7 @@
 #include <rte_common.h>
 #include <rte_crypto_asym.h>
 #include <rte_malloc.h>
+#include <rte_memory.h>
 
 #include "roc_ae.h"
 #include "roc_re.h"
@@ -1921,7 +1922,8 @@ cnxk_ae_dequeue_rsa_op(struct rte_crypto_op *cop, uint8_t *rptr,
 			 * Offset output data pointer by length field
 			 * (2 bytes) and compare signed data.
 			 */
-			if (memcmp(rptr + 2, rsa->message.data, rsa->message.length))
+			if (!rte_memeq_timingsafe(rptr + 2,
+						  rsa->message.data, rsa->message.length))
 				cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
 		}
 		break;
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 09d9d1e0e3..3ed32f7ddd 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -3362,7 +3362,7 @@ compl_auth_verify(struct rte_crypto_op *op, uint8_t *gen_mac, uint64_t mac_len)
 		return;
 	}
 
-	if (memcmp(mac, gen_mac, mac_len))
+	if (!rte_memeq_timingsafe(mac, gen_mac, mac_len))
 		op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	else
 		op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-- 
2.53.0



More information about the stable mailing list