From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: Kai Ji <kai.ji@intel.com>,
stable@dpdk.org, Pablo de Lara <pablo.de.lara.guarch@intel.com>,
Akhil Goyal <gakhil@marvell.com>,
Fan Zhang <fanzhang.oss@gmail.com>
Subject: [dpdk-dev v1] cryptodev: introduce constant-time memory comparison
Date: Thu, 25 Sep 2025 10:22:23 +0000 [thread overview]
Message-ID: <20250925102223.145471-1-kai.ji@intel.com> (raw)
Add rte_consttime_memcmp() to prevent timing attacks in cryptographic
digest verification operations.
Replace memcmp() with rte_consttime_memcmp() in cryptographic
authentication verification operations across multiple crypto drivers:
* ipsec_mb
* scheduler
Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.
Bugzilla ID: 1773
Cc: stable@dpdk.org
[0] https://bugs.dpdk.org/show_bug.cgi?id=1773
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/ipsec_mb/pmd_aesni_gcm.c | 4 ++--
drivers/crypto/ipsec_mb/pmd_aesni_mb.c | 6 ++---
drivers/crypto/ipsec_mb/pmd_snow3g.c | 2 +-
drivers/crypto/ipsec_mb/pmd_zuc.c | 2 +-
.../scheduler/rte_cryptodev_scheduler.c | 2 +-
lib/cryptodev/rte_cryptodev.h | 23 +++++++++++++++++++
6 files changed, 31 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..ef8503d904 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
tag, session->req_digest_length);
#endif
- if (memcmp(tag, digest, session->req_digest_length) != 0)
+ if (rte_consttime_memcmp(tag, digest, session->req_digest_length) != 0)
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
} else {
if (session->req_digest_length != session->gen_digest_length) {
@@ -558,7 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
s->gen_digest_length);
- return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
+ return rte_consttime_memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
: EBADMSG;
}
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..78fc59c4bf 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
crc = job->dst + crc_offset;
/* Verify CRC (at the end of the message) */
- if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+ if (rte_consttime_memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
@@ -1910,7 +1910,7 @@ static inline void
verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
{
/* Verify digest if required */
- if (memcmp(job->auth_tag_output, digest, len) != 0)
+ if (rte_consttime_memcmp(job->auth_tag_output, digest, len) != 0)
*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
for (i = 0, k = 0; i != vec->num; i++) {
if (vec->status[i] == 0) {
- if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+ if (rte_consttime_memcmp(vec->digest[i].va, dgst[i], len) != 0)
vec->status[i] = EBADMSG;
else
k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..7c900d11de 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,7 +269,7 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
&session->pKeySched_hash,
iv, src, length_in_bits, dst);
/* Verify digest. */
- if (memcmp(dst, ops[i]->sym->auth.digest.data,
+ if (rte_consttime_memcmp(dst, ops[i]->sym->auth.digest.data,
SNOW3G_DIGEST_LENGTH) != 0)
ops[i]->status =
RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..c3f109289b 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,7 +185,7 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
*/
for (i = 0; i < processed_ops; i++)
if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
- if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
+ if (rte_consttime_memcmp(dst[i], ops[i]->sym->auth.digest.data,
ZUC_DIGEST_LENGTH) != 0)
ops[i]->status =
RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
diff --git a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
index 1ca8443431..158d6332b8 100644
--- a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
+++ b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
@@ -100,7 +100,7 @@ check_sec_cap_equal(const struct rte_security_capability *sec_cap1,
return 0;
if (sec_cap1->protocol == RTE_SECURITY_PROTOCOL_DOCSIS)
- return !memcmp(&sec_cap1->docsis, &sec_cap2->docsis,
+ return !rte_consttime_memcmp(&sec_cap1->docsis, &sec_cap2->docsis,
sizeof(sec_cap1->docsis));
else
return 0;
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index eaf0e50d37..77f10fbf88 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -78,6 +78,29 @@ extern int rte_cryptodev_logtype;
#define rte_crypto_op_ctophys_offset(c, o) \
(rte_iova_t)((c)->phys_addr + (o))
+/**
+ * Constant-time memory comparison for cryptographic use.
+ * Returns 0 if the memory regions are equal, nonzero otherwise.
+ * Runs in constant time with respect to the length to prevent timing attacks.
+ *
+ * @param a
+ * Pointer to the first memory region.
+ * @param b
+ * Pointer to the second memory region.
+ * @param n
+ * Number of bytes to compare.
+ * @return
+ * 0 if memory regions are equal, nonzero otherwise.
+ */
+#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
+ const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
+ const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
+ uint8_t __result = 0; \
+ for (size_t __i = 0; __i < (n); __i++) \
+ __result |= __pa[__i] ^ __pb[__i]; \
+ __result; \
+})
+
/**
* Crypto parameters range description
*/
--
2.34.1
next reply other threads:[~2025-09-25 10:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-25 10:22 Kai Ji [this message]
2025-09-25 10:33 ` [EXTERNAL] " Akhil Goyal
2025-09-25 20:47 ` Thomas Monjalon
2025-09-26 7:55 ` Bruce Richardson
2025-09-26 7:58 ` Bruce Richardson
2025-09-26 12:34 ` Morten Brørup
2025-09-26 8:13 ` Konstantin Ananyev
2025-09-26 8:16 ` Konstantin Ananyev
2025-09-26 15:49 ` [dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() to prevent timing attacks memcmp Kai Ji
2025-09-26 15:49 ` [dpdk-dev v2 2/2] crypto/ipsec-mb: use constant-time memory comparison Kai Ji
2025-09-26 16:02 ` [dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp Kai Ji
2025-09-26 16:02 ` [dpdk-dev v3 2/2] crypto/ipsec-mb: use constant-time memory comparison Kai Ji
2025-09-26 18:12 ` [dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp Stephen Hemminger
2025-09-26 19:17 ` Morten Brørup
2025-09-26 20:15 ` Stephen Hemminger
2025-09-26 18:07 ` [dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() " Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250925102223.145471-1-kai.ji@intel.com \
--to=kai.ji@intel.com \
--cc=dev@dpdk.org \
--cc=fanzhang.oss@gmail.com \
--cc=gakhil@marvell.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).