[dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Kai Ji]

Add rte_consttime_memcmp() to prevent timing attacks in cryptographic
digest verification operations.

Replace memcmp() with rte_consttime_memcmp() in cryptographic
authentication verification operations across multiple crypto drivers:

* ipsec_mb
* scheduler

Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.

Bugzilla ID: 1773
Cc: stable@dpdk.org

[0] https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/ipsec_mb/pmd_aesni_gcm.c       |  4 ++--
 drivers/crypto/ipsec_mb/pmd_aesni_mb.c        |  6 ++---
 drivers/crypto/ipsec_mb/pmd_snow3g.c          |  2 +-
 drivers/crypto/ipsec_mb/pmd_zuc.c             |  2 +-
 .../scheduler/rte_cryptodev_scheduler.c       |  2 +-
 lib/cryptodev/rte_cryptodev.h                 | 23 +++++++++++++++++++
 6 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..ef8503d904 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
 				tag, session->req_digest_length);
 #endif
 
-		if (memcmp(tag, digest,	session->req_digest_length) != 0)
+		if (rte_consttime_memcmp(tag, digest, session->req_digest_length) != 0)
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	} else {
 		if (session->req_digest_length != session->gen_digest_length) {
@@ -558,7 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
 	ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
 			s->gen_digest_length);
 
-	return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
+	return rte_consttime_memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
 								    : EBADMSG;
 }
 
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..78fc59c4bf 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
 	crc = job->dst + crc_offset;
 
 	/* Verify CRC (at the end of the message) */
-	if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+	if (rte_consttime_memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -1910,7 +1910,7 @@ static inline void
 verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
 {
 	/* Verify digest if required */
-	if (memcmp(job->auth_tag_output, digest, len) != 0)
+	if (rte_consttime_memcmp(job->auth_tag_output, digest, len) != 0)
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
 
 	for (i = 0, k = 0; i != vec->num; i++) {
 		if (vec->status[i] == 0) {
-			if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+			if (rte_consttime_memcmp(vec->digest[i].va, dgst[i], len) != 0)
 				vec->status[i] = EBADMSG;
 			else
 				k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..7c900d11de 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,7 +269,7 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 					&session->pKeySched_hash,
 					iv, src, length_in_bits, dst);
 			/* Verify digest. */
-			if (memcmp(dst, ops[i]->sym->auth.digest.data,
+			if (rte_consttime_memcmp(dst, ops[i]->sym->auth.digest.data,
 					SNOW3G_DIGEST_LENGTH) != 0)
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..c3f109289b 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,7 +185,7 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 	 */
 	for (i = 0; i < processed_ops; i++)
 		if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
-			if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
+			if (rte_consttime_memcmp(dst[i], ops[i]->sym->auth.digest.data,
 					ZUC_DIGEST_LENGTH) != 0)
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
diff --git a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
index 1ca8443431..158d6332b8 100644
--- a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
+++ b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
@@ -100,7 +100,7 @@ check_sec_cap_equal(const struct rte_security_capability *sec_cap1,
 		return 0;
 
 	if (sec_cap1->protocol == RTE_SECURITY_PROTOCOL_DOCSIS)
-		return !memcmp(&sec_cap1->docsis, &sec_cap2->docsis,
+		return !rte_consttime_memcmp(&sec_cap1->docsis, &sec_cap2->docsis,
 				sizeof(sec_cap1->docsis));
 	else
 		return 0;
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index eaf0e50d37..77f10fbf88 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -78,6 +78,29 @@ extern int rte_cryptodev_logtype;
 #define rte_crypto_op_ctophys_offset(c, o)	\
 	(rte_iova_t)((c)->phys_addr + (o))
 
+/**
+ * Constant-time memory comparison for cryptographic use.
+ * Returns 0 if the memory regions are equal, nonzero otherwise.
+ * Runs in constant time with respect to the length to prevent timing attacks.
+ *
+ * @param a
+ *   Pointer to the first memory region.
+ * @param b
+ *   Pointer to the second memory region.
+ * @param n
+ *   Number of bytes to compare.
+ * @return
+ *   0 if memory regions are equal, nonzero otherwise.
+ */
+#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
+	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
+	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
+	uint8_t __result = 0; \
+	for (size_t __i = 0; __i < (n); __i++) \
+		__result |= __pa[__i] ^ __pb[__i]; \
+	__result; \
+})
+
 /**
  * Crypto parameters range description
  */
-- 
2.34.1

RE: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Akhil Goyal]

> Add rte_consttime_memcmp() to prevent timing attacks in cryptographic
> digest verification operations.
> 
> Replace memcmp() with rte_consttime_memcmp() in cryptographic
> authentication verification operations across multiple crypto drivers:
> 
> * ipsec_mb
> * scheduler
> 
> Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
> provides equivalent timing attack resistance and is left unchanged.
> 
> Bugzilla ID: 1773
> Cc: stable@dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>


> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index eaf0e50d37..77f10fbf88 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -78,6 +78,29 @@ extern int rte_cryptodev_logtype;
>  #define rte_crypto_op_ctophys_offset(c, o)	\
>  	(rte_iova_t)((c)->phys_addr + (o))
> 
> +/**
> + * Constant-time memory comparison for cryptographic use.
> + * Returns 0 if the memory regions are equal, nonzero otherwise.
> + * Runs in constant time with respect to the length to prevent timing attacks.
> + *
> + * @param a
> + *   Pointer to the first memory region.
> + * @param b
> + *   Pointer to the second memory region.
> + * @param n
> + *   Number of bytes to compare.
> + * @return
> + *   0 if memory regions are equal, nonzero otherwise.
> + */
> +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> +	uint8_t __result = 0; \
> +	for (size_t __i = 0; __i < (n); __i++) \
> +		__result |= __pa[__i] ^ __pb[__i]; \
> +	__result; \
> +})
> +
>  /**
>   * Crypto parameters range description
>   */

I believe this is not the right place to add this define. It should be somewhere in common eal if it is already not there.

++ Thomas, Stephen, Bruce, David.

Re: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Thomas Monjalon]

25/09/2025 12:33, Akhil Goyal:
> > +/**
> > + * Constant-time memory comparison for cryptographic use.
> > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > + * Runs in constant time with respect to the length to prevent timing attacks.
> > + *
> > + * @param a
> > + *   Pointer to the first memory region.
> > + * @param b
> > + *   Pointer to the second memory region.
> > + * @param n
> > + *   Number of bytes to compare.
> > + * @return
> > + *   0 if memory regions are equal, nonzero otherwise.
> > + */
> > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> > +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> > +	uint8_t __result = 0; \
> > +	for (size_t __i = 0; __i < (n); __i++) \
> > +		__result |= __pa[__i] ^ __pb[__i]; \
> > +	__result; \
> > +})
> 
> I believe this is not the right place to add this define.
> It should be somewhere in common eal if it is already not there.

Yes indeed.
cryptodev is the API for managing crypto devices.
A new memcmp function would be better hosted in libc,
and in EAL for compatibility with all supported libc.

I mean please add it in EAL, and propose it to glibc as well.

Re: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Bruce Richardson]

On Thu, Sep 25, 2025 at 10:47:42PM +0200, Thomas Monjalon wrote:
> 25/09/2025 12:33, Akhil Goyal:
> > > +/**
> > > + * Constant-time memory comparison for cryptographic use.
> > > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > > + * Runs in constant time with respect to the length to prevent timing attacks.
> > > + *
> > > + * @param a
> > > + *   Pointer to the first memory region.
> > > + * @param b
> > > + *   Pointer to the second memory region.
> > > + * @param n
> > > + *   Number of bytes to compare.
> > > + * @return
> > > + *   0 if memory regions are equal, nonzero otherwise.
> > > + */
> > > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > > +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> > > +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> > > +	uint8_t __result = 0; \
> > > +	for (size_t __i = 0; __i < (n); __i++) \
> > > +		__result |= __pa[__i] ^ __pb[__i]; \
> > > +	__result; \
> > > +})
> > 
> > I believe this is not the right place to add this define.
> > It should be somewhere in common eal if it is already not there.
> 
> Yes indeed.
> cryptodev is the API for managing crypto devices.
> A new memcmp function would be better hosted in libc,
> and in EAL for compatibility with all supported libc.
> 
> I mean please add it in EAL, and propose it to glibc as well.
> 

Just for reference, there is a good discussion of such functions and
reference code under MIT license at [1]. After reading that, I note that
the proposed macro above it not strictly a memcmp function because it just
returns a zero/non-zero value, rather than a value indicating which array
value is greater. Therefore some feedback on this code:
* Use an inline function returning bool rather than a macro
* A more accurate name might be rte_consttime_memneq, since the code
  returns 0 (false) if equal.

Regars,
/Bruce

[1] https://github.com/chmike/cst_time_memcmp

Re: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Bruce Richardson]

On Fri, Sep 26, 2025 at 08:55:55AM +0100, Bruce Richardson wrote:
> On Thu, Sep 25, 2025 at 10:47:42PM +0200, Thomas Monjalon wrote:
> > 25/09/2025 12:33, Akhil Goyal:
> > > > +/**
> > > > + * Constant-time memory comparison for cryptographic use.
> > > > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > > > + * Runs in constant time with respect to the length to prevent timing attacks.
> > > > + *
> > > > + * @param a
> > > > + *   Pointer to the first memory region.
> > > > + * @param b
> > > > + *   Pointer to the second memory region.
> > > > + * @param n
> > > > + *   Number of bytes to compare.
> > > > + * @return
> > > > + *   0 if memory regions are equal, nonzero otherwise.
> > > > + */
> > > > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > > > +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> > > > +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> > > > +	uint8_t __result = 0; \
> > > > +	for (size_t __i = 0; __i < (n); __i++) \
> > > > +		__result |= __pa[__i] ^ __pb[__i]; \
> > > > +	__result; \
> > > > +})
> > > 
> > > I believe this is not the right place to add this define.
> > > It should be somewhere in common eal if it is already not there.
> > 
> > Yes indeed.
> > cryptodev is the API for managing crypto devices.
> > A new memcmp function would be better hosted in libc,
> > and in EAL for compatibility with all supported libc.
> > 
> > I mean please add it in EAL, and propose it to glibc as well.
> > 
> 
> Just for reference, there is a good discussion of such functions and
> reference code under MIT license at [1]. After reading that, I note that
> the proposed macro above it not strictly a memcmp function because it just
> returns a zero/non-zero value, rather than a value indicating which array
> value is greater. Therefore some feedback on this code:
> * Use an inline function returning bool rather than a macro
> * A more accurate name might be rte_consttime_memneq, since the code
>   returns 0 (false) if equal.
> 

Or better, change the return value from result to !result to make it a
"memeq" function, which also has the benefit of clamping return values to
just 0 and 1.

> Regars,
> /Bruce
> 
> [1] https://github.com/chmike/cst_time_memcmp

RE: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Morten Brørup]

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Friday, 26 September 2025 09.56
> 
> On Thu, Sep 25, 2025 at 10:47:42PM +0200, Thomas Monjalon wrote:
> > 25/09/2025 12:33, Akhil Goyal:
> > > > +/**
> > > > + * Constant-time memory comparison for cryptographic use.
> > > > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > > > + * Runs in constant time with respect to the length to prevent
> timing attacks.
> > > > + *
> > > > + * @param a
> > > > + *   Pointer to the first memory region.
> > > > + * @param b
> > > > + *   Pointer to the second memory region.
> > > > + * @param n
> > > > + *   Number of bytes to compare.
> > > > + * @return
> > > > + *   0 if memory regions are equal, nonzero otherwise.
> > > > + */
> > > > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > > > +	const volatile uint8_t *__pa = (const volatile uint8_t
> *)(a); \
> > > > +	const volatile uint8_t *__pb = (const volatile uint8_t
> *)(b); \
> > > > +	uint8_t __result = 0; \
> > > > +	for (size_t __i = 0; __i < (n); __i++) \
> > > > +		__result |= __pa[__i] ^ __pb[__i]; \
> > > > +	__result; \
> > > > +})
> > >
> > > I believe this is not the right place to add this define.
> > > It should be somewhere in common eal if it is already not there.
> >
> > Yes indeed.
> > cryptodev is the API for managing crypto devices.
> > A new memcmp function would be better hosted in libc,
> > and in EAL for compatibility with all supported libc.
> >
> > I mean please add it in EAL, and propose it to glibc as well.
> >
> 
> Just for reference, there is a good discussion of such functions and
> reference code under MIT license at [1]. After reading that, I note
> that
> the proposed macro above it not strictly a memcmp function because it
> just
> returns a zero/non-zero value, rather than a value indicating which
> array
> value is greater. Therefore some feedback on this code:
> * Use an inline function returning bool rather than a macro
> * A more accurate name might be rte_consttime_memneq, since the code
>   returns 0 (false) if equal.
> 
> Regars,
> /Bruce
> 
> [1] https://github.com/chmike/cst_time_memcmp

When deciding on the function name and location:
Can we foresee other consttime or crypto-purpose functions that should reside in the EAL?

There's already rte_memzero_explicit() in rte_memory.h:
https://elixir.bootlin.com/dpdk/v25.07/source/lib/eal/include/rte_memory.h#L747

Please use the same naming convention, i.e. put the function purpose first, and append the special behavior as postfix:
rte_memneq_consttime(), e.g.:
bool rte_memneq_consttime(const void *s1, const void *s2, size_t n);

IMHO, eal/include/rte_memory.h is a good location for this too.

Should it be an inline or normal function?
If it's primarily for fast path, inline is preferable.

You could also add the inverse function, i.e. add both memneq and memeq.

RE: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Konstantin Ananyev]

> 25/09/2025 12:33, Akhil Goyal:
> > > +/**
> > > + * Constant-time memory comparison for cryptographic use.
> > > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > > + * Runs in constant time with respect to the length to prevent timing attacks.
> > > + *
> > > + * @param a
> > > + *   Pointer to the first memory region.
> > > + * @param b
> > > + *   Pointer to the second memory region.
> > > + * @param n
> > > + *   Number of bytes to compare.
> > > + * @return
> > > + *   0 if memory regions are equal, nonzero otherwise.
> > > + */
> > > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > > +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> > > +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> > > +	uint8_t __result = 0; \
> > > +	for (size_t __i = 0; __i < (n); __i++) \
> > > +		__result |= __pa[__i] ^ __pb[__i]; \
> > > +	__result; \
> > > +})
> >
> > I believe this is not the right place to add this define.
> > It should be somewhere in common eal if it is already not there.
> 
> Yes indeed.
> cryptodev is the API for managing crypto devices.
> A new memcmp function would be better hosted in libc,
> and in EAL for compatibility with all supported libc.
> 
> I mean please add it in EAL, and propose it to glibc as well.

Stupid q: what's wrong with standard C memcmp() function?
 

RE: [EXTERNAL] [dpdk-dev v1] cryptodev: introduce constant-time memory comparison

[Konstantin Ananyev]

> 
> 
> > 25/09/2025 12:33, Akhil Goyal:
> > > > +/**
> > > > + * Constant-time memory comparison for cryptographic use.
> > > > + * Returns 0 if the memory regions are equal, nonzero otherwise.
> > > > + * Runs in constant time with respect to the length to prevent timing
> attacks.
> > > > + *
> > > > + * @param a
> > > > + *   Pointer to the first memory region.
> > > > + * @param b
> > > > + *   Pointer to the second memory region.
> > > > + * @param n
> > > > + *   Number of bytes to compare.
> > > > + * @return
> > > > + *   0 if memory regions are equal, nonzero otherwise.
> > > > + */
> > > > +#define rte_consttime_memcmp(a, b, n) __extension__ ({ \
> > > > +	const volatile uint8_t *__pa = (const volatile uint8_t *)(a); \
> > > > +	const volatile uint8_t *__pb = (const volatile uint8_t *)(b); \
> > > > +	uint8_t __result = 0; \
> > > > +	for (size_t __i = 0; __i < (n); __i++) \
> > > > +		__result |= __pa[__i] ^ __pb[__i]; \
> > > > +	__result; \
> > > > +})
> > >
> > > I believe this is not the right place to add this define.
> > > It should be somewhere in common eal if it is already not there.
> >
> > Yes indeed.
> > cryptodev is the API for managing crypto devices.
> > A new memcmp function would be better hosted in libc,
> > and in EAL for compatibility with all supported libc.
> >
> > I mean please add it in EAL, and propose it to glibc as well.
> 
> Stupid q: what's wrong with standard C memcmp() function?

Ah, sorry, didn't read properly.
Please disregard, and yes - might be EAL is the right place for it.

[dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() to prevent timing attacks memcmp.

[Kai Ji]

Bugzilla ID: 1773
Cc: stable@dpdk.org

[0] https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index 9e7d84f929..ddbba083be 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict ptr, const unsigned int align)
 	return ((uintptr_t)ptr & (align - 1)) == 0;
 }
 
+/**
+ * Constant-time memory inequality comparison.
+ *
+ * This function compares two memory regions in constant time, making it
+ * resistant to timing side-channel attacks. The execution time depends only
+ * on the length parameter, not on the actual data values being compared.
+ *
+ * This is particularly important for cryptographic operations where timing
+ * differences could leak information about secret keys, passwords, or other
+ * sensitive data.
+ *
+ * @param a
+ *   Pointer to the first memory region to compare
+ * @param b
+ *   Pointer to the second memory region to compare
+ * @param n
+ *   Number of bytes to compare
+ * @return
+ *   false if the memory regions are identical, true if they differ
+ */
+static inline bool
+rte_consttime_memneq(const void *a, const void *b, size_t n)
+{
+	const volatile uint8_t *pa = (const volatile uint8_t *)a;
+	const volatile uint8_t *pb = (const volatile uint8_t *)b;
+	uint8_t result = 0;
+	size_t i;
+
+	for (i = 0; i < n; i++)
+		result |= pa[i] ^ pb[i];
+
+	return result != 0;
+}
+
 /*********** Macros for compile type checks ********/
 
 /* Workaround for toolchain issues with missing C11 macro in FreeBSD */
-- 
2.34.1

[dpdk-dev v2 2/2] crypto/ipsec-mb: use constant-time memory comparison

[Kai Ji]

Replace memcmp() with rte_consttime_memsq() in cryptographic
authentication verification operations across multiple crypto drivers:

* ipsec_mb

Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.

Note: scheduler driver memcmp stays unchanged as its not secret data
comparison and actually faster with no timing attack risk.

Bugzilla ID: 1773
Cc: stable@dpdk.org

[0] https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/ipsec_mb/pmd_aesni_gcm.c | 5 ++---
 drivers/crypto/ipsec_mb/pmd_aesni_mb.c  | 6 +++---
 drivers/crypto/ipsec_mb/pmd_snow3g.c    | 4 ++--
 drivers/crypto/ipsec_mb/pmd_zuc.c       | 4 ++--
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..bfe119bf77 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
 				tag, session->req_digest_length);
 #endif
 
-		if (memcmp(tag, digest,	session->req_digest_length) != 0)
+		if (rte_consttime_memneq(tag, digest, session->req_digest_length))
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	} else {
 		if (session->req_digest_length != session->gen_digest_length) {
@@ -558,8 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
 	ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
 			s->gen_digest_length);
 
-	return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
-								    : EBADMSG;
+	return rte_consttime_memneq(digest, tmpdigest, s->req_digest_length) ? EBADMSG : 0;
 }
 
 static inline void
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..f23a09376e 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
 	crc = job->dst + crc_offset;
 
 	/* Verify CRC (at the end of the message) */
-	if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+	if (rte_consttime_memneq(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -1910,7 +1910,7 @@ static inline void
 verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
 {
 	/* Verify digest if required */
-	if (memcmp(job->auth_tag_output, digest, len) != 0)
+	if (rte_consttime_memneq(job->auth_tag_output, digest, len))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
 
 	for (i = 0, k = 0; i != vec->num; i++) {
 		if (vec->status[i] == 0) {
-			if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+			if (rte_consttime_memneq(vec->digest[i].va, dgst[i], len))
 				vec->status[i] = EBADMSG;
 			else
 				k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..befb60e473 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,8 +269,8 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 					&session->pKeySched_hash,
 					iv, src, length_in_bits, dst);
 			/* Verify digest. */
-			if (memcmp(dst, ops[i]->sym->auth.digest.data,
-					SNOW3G_DIGEST_LENGTH) != 0)
+			if (rte_consttime_memneq(dst, ops[i]->sym->auth.digest.data,
+					SNOW3G_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		} else {
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..8f0be0465a 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,8 +185,8 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 	 */
 	for (i = 0; i < processed_ops; i++)
 		if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
-			if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
-					ZUC_DIGEST_LENGTH) != 0)
+			if (rte_consttime_memneq(dst[i], ops[i]->sym->auth.digest.data,
+					ZUC_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 
-- 
2.34.1

[dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp.

[Kai Ji]

Bugzilla ID: 1773
https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index 9e7d84f929..ddbba083be 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict ptr, const unsigned int align)
 	return ((uintptr_t)ptr & (align - 1)) == 0;
 }
 
+/**
+ * Constant-time memory inequality comparison.
+ *
+ * This function compares two memory regions in constant time, making it
+ * resistant to timing side-channel attacks. The execution time depends only
+ * on the length parameter, not on the actual data values being compared.
+ *
+ * This is particularly important for cryptographic operations where timing
+ * differences could leak information about secret keys, passwords, or other
+ * sensitive data.
+ *
+ * @param a
+ *   Pointer to the first memory region to compare
+ * @param b
+ *   Pointer to the second memory region to compare
+ * @param n
+ *   Number of bytes to compare
+ * @return
+ *   false if the memory regions are identical, true if they differ
+ */
+static inline bool
+rte_consttime_memneq(const void *a, const void *b, size_t n)
+{
+	const volatile uint8_t *pa = (const volatile uint8_t *)a;
+	const volatile uint8_t *pb = (const volatile uint8_t *)b;
+	uint8_t result = 0;
+	size_t i;
+
+	for (i = 0; i < n; i++)
+		result |= pa[i] ^ pb[i];
+
+	return result != 0;
+}
+
 /*********** Macros for compile type checks ********/
 
 /* Workaround for toolchain issues with missing C11 macro in FreeBSD */
-- 
2.34.1

[dpdk-dev v3 2/2] crypto/ipsec-mb: use constant-time memory comparison

[Kai Ji]

Replace memcmp() with rte_consttime_memneq() in cryptographic
authentication verification operations in ipsec_mb crypto driver.

Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.

Note: scheduler driver memcmp stays unchanged as its not secret data
comparison and actually faster with no timing attack risk.

Bugzilla ID: 1773
https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/ipsec_mb/pmd_aesni_gcm.c | 5 ++---
 drivers/crypto/ipsec_mb/pmd_aesni_mb.c  | 6 +++---
 drivers/crypto/ipsec_mb/pmd_snow3g.c    | 4 ++--
 drivers/crypto/ipsec_mb/pmd_zuc.c       | 4 ++--
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..bfe119bf77 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
 				tag, session->req_digest_length);
 #endif
 
-		if (memcmp(tag, digest,	session->req_digest_length) != 0)
+		if (rte_consttime_memneq(tag, digest, session->req_digest_length))
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	} else {
 		if (session->req_digest_length != session->gen_digest_length) {
@@ -558,8 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
 	ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
 			s->gen_digest_length);
 
-	return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
-								    : EBADMSG;
+	return rte_consttime_memneq(digest, tmpdigest, s->req_digest_length) ? EBADMSG : 0;
 }
 
 static inline void
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..f23a09376e 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
 	crc = job->dst + crc_offset;
 
 	/* Verify CRC (at the end of the message) */
-	if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+	if (rte_consttime_memneq(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -1910,7 +1910,7 @@ static inline void
 verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
 {
 	/* Verify digest if required */
-	if (memcmp(job->auth_tag_output, digest, len) != 0)
+	if (rte_consttime_memneq(job->auth_tag_output, digest, len))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
 
 	for (i = 0, k = 0; i != vec->num; i++) {
 		if (vec->status[i] == 0) {
-			if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+			if (rte_consttime_memneq(vec->digest[i].va, dgst[i], len))
 				vec->status[i] = EBADMSG;
 			else
 				k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..befb60e473 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,8 +269,8 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 					&session->pKeySched_hash,
 					iv, src, length_in_bits, dst);
 			/* Verify digest. */
-			if (memcmp(dst, ops[i]->sym->auth.digest.data,
-					SNOW3G_DIGEST_LENGTH) != 0)
+			if (rte_consttime_memneq(dst, ops[i]->sym->auth.digest.data,
+					SNOW3G_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		} else {
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..8f0be0465a 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,8 +185,8 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 	 */
 	for (i = 0; i < processed_ops; i++)
 		if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
-			if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
-					ZUC_DIGEST_LENGTH) != 0)
+			if (rte_consttime_memneq(dst[i], ops[i]->sym->auth.digest.data,
+					ZUC_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 
-- 
2.34.1

Re: [dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp.

[Stephen Hemminger]

On Fri, 26 Sep 2025 16:02:08 +0000
Kai Ji <kai.ji@intel.com> wrote:

> +/**
> + * Constant-time memory inequality comparison.
> + *
> + * This function compares two memory regions in constant time, making it
> + * resistant to timing side-channel attacks. The execution time depends only
> + * on the length parameter, not on the actual data values being compared.
> + *
> + * This is particularly important for cryptographic operations where timing
> + * differences could leak information about secret keys, passwords, or other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   false if the memory regions are identical, true if they differ
> + */
> +static inline bool
> +rte_consttime_memneq(const void *a, const void *b, size_t n)

prefer FreeBSD naming i.e memeq instead of memneq

RE: [dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp.

[Morten Brørup]

> From: Kai Ji [mailto:kai.ji@intel.com]
> Sent: Friday, 26 September 2025 18.02
> 
> Bugzilla ID: 1773
> https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
>  1 file changed, 34 insertions(+)
> 
> diff --git a/lib/eal/include/rte_common.h
> b/lib/eal/include/rte_common.h
> index 9e7d84f929..ddbba083be 100644
> --- a/lib/eal/include/rte_common.h
> +++ b/lib/eal/include/rte_common.h
> @@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict
> ptr, const unsigned int align)
>  	return ((uintptr_t)ptr & (align - 1)) == 0;
>  }
> 
> +/**
> + * Constant-time memory inequality comparison.
> + *
> + * This function compares two memory regions in constant time, making
> it
> + * resistant to timing side-channel attacks. The execution time
> depends only
> + * on the length parameter, not on the actual data values being
> compared.
> + *
> + * This is particularly important for cryptographic operations where
> timing
> + * differences could leak information about secret keys, passwords, or
> other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   false if the memory regions are identical, true if they differ
> + */
> +static inline bool
> +rte_consttime_memneq(const void *a, const void *b, size_t n)
> +{
> +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> +	uint8_t result = 0;
> +	size_t i;
> +
> +	for (i = 0; i < n; i++)
> +		result |= pa[i] ^ pb[i];
> +
> +	return result != 0;
> +}
> +
>  /*********** Macros for compile type checks ********/
> 
>  /* Workaround for toolchain issues with missing C11 macro in FreeBSD
> */
> --
> 2.34.1

My comments here still apply:
https://inbox.dpdk.org/dev/98CBD80474FA8B44BF855DF32C47DC35F6547A@smartserver.smartshare.dk/

Also, this is certainly not a common function, so don't put it in rte_commo.h. Put it in rte_memory.h as suggested.

-Morten

Re: [dpdk-dev v3 1/2] eal: Add rte_consttime_memneq() to prevent timing attacks memcmp.

[Stephen Hemminger]

On Fri, 26 Sep 2025 21:17:08 +0200
Morten Brørup <mb@smartsharesystems.com> wrote:

> > From: Kai Ji [mailto:kai.ji@intel.com]
> > Sent: Friday, 26 September 2025 18.02
> > 
> > Bugzilla ID: 1773
> > https://bugs.dpdk.org/show_bug.cgi?id=1773
> > 
> > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > ---
> >  lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
> >  1 file changed, 34 insertions(+)
> > 
> > diff --git a/lib/eal/include/rte_common.h
> > b/lib/eal/include/rte_common.h
> > index 9e7d84f929..ddbba083be 100644
> > --- a/lib/eal/include/rte_common.h
> > +++ b/lib/eal/include/rte_common.h
> > @@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict
> > ptr, const unsigned int align)
> >  	return ((uintptr_t)ptr & (align - 1)) == 0;
> >  }
> > 
> > +/**
> > + * Constant-time memory inequality comparison.
> > + *
> > + * This function compares two memory regions in constant time, making
> > it
> > + * resistant to timing side-channel attacks. The execution time
> > depends only
> > + * on the length parameter, not on the actual data values being
> > compared.
> > + *
> > + * This is particularly important for cryptographic operations where
> > timing
> > + * differences could leak information about secret keys, passwords, or
> > other
> > + * sensitive data.
> > + *
> > + * @param a
> > + *   Pointer to the first memory region to compare
> > + * @param b
> > + *   Pointer to the second memory region to compare
> > + * @param n
> > + *   Number of bytes to compare
> > + * @return
> > + *   false if the memory regions are identical, true if they differ
> > + */
> > +static inline bool
> > +rte_consttime_memneq(const void *a, const void *b, size_t n)
> > +{
> > +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> > +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> > +	uint8_t result = 0;
> > +	size_t i;
> > +
> > +	for (i = 0; i < n; i++)
> > +		result |= pa[i] ^ pb[i];
> > +
> > +	return result != 0;
> > +}
> > +
> >  /*********** Macros for compile type checks ********/
> > 
> >  /* Workaround for toolchain issues with missing C11 macro in FreeBSD
> > */
> > --
> > 2.34.1  
> 
> My comments here still apply:
> https://inbox.dpdk.org/dev/98CBD80474FA8B44BF855DF32C47DC35F6547A@smartserver.smartshare.dk/
> 
> Also, this is certainly not a common function, so don't put it in rte_commo.h. Put it in rte_memory.h as suggested.

Yes, Should be next to existing rte_memzero_explicit in rte_memory.h

[dpdk-dev v4 1/2] eal: Add mem equal and non-equal to prevent timing attacks memcmp.

[Kai Ji]

Bugzilla ID: 1773
Cc: stable@dpdk.org

[0] https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 lib/eal/include/rte_memory.h | 68 ++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/lib/eal/include/rte_memory.h b/lib/eal/include/rte_memory.h
index dcc0e69cfe..bbdef8e939 100644
--- a/lib/eal/include/rte_memory.h
+++ b/lib/eal/include/rte_memory.h
@@ -746,6 +746,74 @@ __rte_experimental
 void
 rte_memzero_explicit(void *dst, size_t sz);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Constant-time memory inequality comparison.
+ *
+ * This function compares two memory regions in constant time, making it
+ * resistant to timing side-channel attacks. The execution time depends only
+ * on the length parameter, not on the actual data values being compared.
+ *
+ * This is particularly important for cryptographic operations where timing
+ * differences could leak information about secret keys, passwords, or other
+ * sensitive data.
+ *
+ * @param a
+ *   Pointer to the first memory region to compare
+ * @param b
+ *   Pointer to the second memory region to compare
+ * @param n
+ *   Number of bytes to compare
+ * @return
+ *   false if the memory regions are identical, true if they differ
+ */
+__rte_experimental
+static inline bool
+rte_memneq_consttime(const void *a, const void *b, size_t n)
+{
+	const volatile uint8_t *pa = (const volatile uint8_t *)a;
+	const volatile uint8_t *pb = (const volatile uint8_t *)b;
+	uint8_t result = 0;
+	size_t i;
+
+	for (i = 0; i < n; i++)
+		result |= pa[i] ^ pb[i];
+
+	return result != 0;
+}
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Constant-time memory equality comparison.
+ *
+ * This function compares two memory regions in constant time, making it
+ * resistant to timing side-channel attacks. The execution time depends only
+ * on the length parameter, not on the actual data values being compared.
+ *
+ * This is particularly important for cryptographic operations where timing
+ * differences could leak information about secret keys, passwords, or other
+ * sensitive data.
+ *
+ * @param a
+ *   Pointer to the first memory region to compare
+ * @param b
+ *   Pointer to the second memory region to compare
+ * @param n
+ *   Number of bytes to compare
+ * @return
+ *   true if the memory regions are identical, false if they differ
+ */
+__rte_experimental
+static inline bool
+rte_memeq_consttime(const void *a, const void *b, size_t n)
+{
+	return !rte_memneq_consttime(a, b, n);
+}
+
 #ifdef __cplusplus
 }
 #endif
-- 
2.34.1

[dpdk-dev v4 2/2] crypto/ipsec-mb: use constant-time memory comparison

[Kai Ji]

Replace memcmp() with rte_memneq_consttime() in cryptographic
authentication verification operations across iipsec-mb drivers.

Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.

Note: scheduler driver memcmp stays unchanged as its not secret data
comparison and actually faster with no timing attack risk.

Bugzilla ID: 1773
Cc: stable@dpdk.org

[0] https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/ipsec_mb/pmd_aesni_gcm.c | 5 ++---
 drivers/crypto/ipsec_mb/pmd_aesni_mb.c  | 6 +++---
 drivers/crypto/ipsec_mb/pmd_snow3g.c    | 4 ++--
 drivers/crypto/ipsec_mb/pmd_zuc.c       | 4 ++--
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..a3d1d19025 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
 				tag, session->req_digest_length);
 #endif
 
-		if (memcmp(tag, digest,	session->req_digest_length) != 0)
+		if (rte_memneq_consttime(tag, digest, session->req_digest_length))
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	} else {
 		if (session->req_digest_length != session->gen_digest_length) {
@@ -558,8 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
 	ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
 			s->gen_digest_length);
 
-	return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
-								    : EBADMSG;
+	return rte_memneq_consttime(digest, tmpdigest, s->req_digest_length) ? EBADMSG : 0;
 }
 
 static inline void
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..f0f67faa46 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
 	crc = job->dst + crc_offset;
 
 	/* Verify CRC (at the end of the message) */
-	if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+	if (rte_memneq_consttime(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -1910,7 +1910,7 @@ static inline void
 verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
 {
 	/* Verify digest if required */
-	if (memcmp(job->auth_tag_output, digest, len) != 0)
+	if (rte_memneq_consttime(job->auth_tag_output, digest, len))
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
 
 	for (i = 0, k = 0; i != vec->num; i++) {
 		if (vec->status[i] == 0) {
-			if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+			if (rte_memneq_consttime(vec->digest[i].va, dgst[i], len))
 				vec->status[i] = EBADMSG;
 			else
 				k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..5d99ea568f 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,8 +269,8 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 					&session->pKeySched_hash,
 					iv, src, length_in_bits, dst);
 			/* Verify digest. */
-			if (memcmp(dst, ops[i]->sym->auth.digest.data,
-					SNOW3G_DIGEST_LENGTH) != 0)
+			if (rte_memneq_consttime(dst, ops[i]->sym->auth.digest.data,
+					SNOW3G_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		} else {
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..466f6594e5 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,8 +185,8 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 	 */
 	for (i = 0; i < processed_ops; i++)
 		if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
-			if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
-					ZUC_DIGEST_LENGTH) != 0)
+			if (rte_memneq_consttime(dst[i], ops[i]->sym->auth.digest.data,
+					ZUC_DIGEST_LENGTH))
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 
-- 
2.34.1

Re: [dpdk-dev v4 2/2] crypto/ipsec-mb: use constant-time memory comparison

[Stephen Hemminger]

On Mon, 29 Sep 2025 14:50:49 +0000
Kai Ji <kai.ji@intel.com> wrote:

> Replace memcmp() with rte_memneq_consttime() in cryptographic
> authentication verification operations across iipsec-mb drivers.
> 
> Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
> provides equivalent timing attack resistance and is left unchanged.
> 
> Note: scheduler driver memcmp stays unchanged as its not secret data
> comparison and actually faster with no timing attack risk.
> 
> Bugzilla ID: 1773
> Cc: stable@dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---

Thanks for doing this.
A couple other notes from my searching around.
The function memeq_consttime is in NetBSD (not FreeBSD) sorry if I got confused.
OpenBSD has timingsafe_memcmp() and timingsafe_bcmp().

Also this on LWN:

> You would use a constant-time version of memcmp. OpenBSD added timingsafe_bcmp in 2009, and then timingsafe_memcmp a few years later. (https://man.openbsd.org/timingsafe_memcmp.3) NetBSD has consttime_memequal. (https://man.netbsd.org/consttime_memequal.3) Apple and FreeBSD adopted the OpenBSD routines.
> I don't think either glibc or musl libc have adopted a similar interface. So on Linux or for portable software you'd probably want to use CRYPTO_memcmp from OpenSSL.
> 
> You should of course be hashing the passwords with salts, and only comparing those hashes. In which case using a constant-time compare isn't that important as the attacker can't work backward from the short-circuiting compare to decipher the plaintext input. The hashing itself should be constant-time, assuming modern digests like SHA-256 or SHA-3, though it's possible the *length* of the input password would leak. But there are a gazillion ways for the length to leak, and when it comes to password-based authentication schemes that's the least of your worries.
> 
> 
> 

Re: [dpdk-dev v4 1/2] eal: Add mem equal and non-equal to prevent timing attacks memcmp.

[Stephen Hemminger]

On Mon, 29 Sep 2025 14:50:48 +0000
Kai Ji <kai.ji@intel.com> wrote:

> diff --git a/lib/eal/include/rte_memory.h b/lib/eal/include/rte_memory.h
> index dcc0e69cfe..bbdef8e939 100644
> --- a/lib/eal/include/rte_memory.h
> +++ b/lib/eal/include/rte_memory.h
> @@ -746,6 +746,74 @@ __rte_experimental
>  void
>  rte_memzero_explicit(void *dst, size_t sz);
>  
> +/**
> + * @warning
> + * @b EXPERIMENTAL: this API may change without prior notice.
> + *
> + * Constant-time memory inequality comparison.
> + *
> + * This function compares two memory regions in constant time, making it
> + * resistant to timing side-channel attacks. The execution time depends only
> + * on the length parameter, not on the actual data values being compared.
> + *
> + * This is particularly important for cryptographic operations where timing
> + * differences could leak information about secret keys, passwords, or other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   false if the memory regions are identical, true if they differ
> + */
> +__rte_experimental
> +static inline bool
> +rte_memneq_consttime(const void *a, const void *b, size_t n)

NAK
Please change to match BSD equivalent function (ie not not equal)

RE: [dpdk-dev v4 1/2] eal: Add mem equal and non-equal to prevent timing attacks memcmp.

[Morten Brørup]

> From: Kai Ji [mailto:kai.ji@intel.com]
> Sent: Monday, 29 September 2025 16.51
> 
> Bugzilla ID: 1773
> Cc: stable@dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---

Acked-by: Morten Brørup <mb@smartsharesystems.com>

@Stephen: V4 also includes equal, which you was asking for.

Re: [dpdk-dev v4 1/2] eal: Add mem equal and non-equal to prevent timing attacks memcmp.

[Stephen Hemminger]

On Mon, 29 Sep 2025 19:48:19 +0200
Morten Brørup <mb@smartsharesystems.com> wrote:

> > From: Kai Ji [mailto:kai.ji@intel.com]
> > Sent: Monday, 29 September 2025 16.51
> > 
> > Bugzilla ID: 1773
> > Cc: stable@dpdk.org
> > 
> > [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> > 
> > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > ---  
> 
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
> 
> @Stephen: V4 also includes equal, which you was asking for.
> 

The point is that we should only have the eq variant.
Having the not equal is unnecessary addition.

RE: [dpdk-dev v4 1/2] eal: Add mem equal and non-equal to prevent timing attacks memcmp.

[Morten Brørup]

> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Tuesday, 30 September 2025 00.49
> 
> On Mon, 29 Sep 2025 19:48:19 +0200
> Morten Brørup <mb@smartsharesystems.com> wrote:
> 
> > > From: Kai Ji [mailto:kai.ji@intel.com]
> > > Sent: Monday, 29 September 2025 16.51
> > >
> > > Bugzilla ID: 1773
> > > Cc: stable@dpdk.org
> > >
> > > [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> > >
> > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > ---
> >
> > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> >
> > @Stephen: V4 also includes equal, which you was asking for.
> >
> 
> The point is that we should only have the eq variant.
> Having the not equal is unnecessary addition.

Yes, I would tend to agree with Stephen on this.

[dpdk-dev v5 1/2] eal: introduce rte_timingsafe_memcmp() based on OpenBSD API

[Kai Ji]

Bugzilla ID: 1773
https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 lib/eal/include/rte_memory.h | 38 ++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/lib/eal/include/rte_memory.h b/lib/eal/include/rte_memory.h
index dcc0e69cfe..6939c1caad 100644
--- a/lib/eal/include/rte_memory.h
+++ b/lib/eal/include/rte_memory.h
@@ -746,6 +746,44 @@ __rte_experimental
 void
 rte_memzero_explicit(void *dst, size_t sz);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Constant-time memory comparison.
+ *
+ * This function compares two memory regions in constant time, making it
+ * resistant to timing side-channel attacks. The execution time depends only
+ * on the length parameter, not on the actual data values being compared.
+ *
+ * This is particularly important for cryptographic operations where timing
+ * differences could leak information about secret keys, passwords, or other
+ * sensitive data.
+ *
+ * @param a
+ *   Pointer to the first memory region to compare
+ * @param b
+ *   Pointer to the second memory region to compare
+ * @param n
+ *   Number of bytes to compare
+ * @return
+ *   0 if the memory regions are identical, non-zero if they differ
+ */
+__rte_experimental
+static inline int
+rte_timingsafe_memcmp(const void *a, const void *b, size_t n)
+{
+	const volatile uint8_t *pa = (const volatile uint8_t *)a;
+	const volatile uint8_t *pb = (const volatile uint8_t *)b;
+	uint8_t result = 0;
+	size_t i;
+
+	for (i = 0; i < n; i++)
+		result |= pa[i] ^ pb[i];
+
+	return result;
+}
+
 #ifdef __cplusplus
 }
 #endif
-- 
2.34.1

[dpdk-dev v5 2/2] crypto/ipsec-mb: use constant-time memory comparison

[Kai Ji]

Replace memcmp() with rte_timingsafe_memcmp() in cryptographic
authentication verification operations across iipsec-mb drivers.

Note: OpenSSL crypto driver already uses CRYPTO_memcmp() which
provides equivalent timing attack resistance and is left unchanged.

Note: scheduler driver memcmp stays unchanged as its not secret data
comparison and actually faster with no timing attack risk.

Bugzilla ID: 1773
https://bugs.dpdk.org/show_bug.cgi?id=1773

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/ipsec_mb/pmd_aesni_gcm.c | 5 ++---
 drivers/crypto/ipsec_mb/pmd_aesni_mb.c  | 6 +++---
 drivers/crypto/ipsec_mb/pmd_snow3g.c    | 2 +-
 drivers/crypto/ipsec_mb/pmd_zuc.c       | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
index 8d40bd9169..56670f3b81 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_gcm.c
@@ -206,7 +206,7 @@ post_process_gcm_crypto_op(struct ipsec_mb_qp *qp,
 				tag, session->req_digest_length);
 #endif
 
-		if (memcmp(tag, digest,	session->req_digest_length) != 0)
+		if (rte_timingsafe_memcmp(tag, digest, session->req_digest_length) != 0)
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 	} else {
 		if (session->req_digest_length != session->gen_digest_length) {
@@ -558,8 +558,7 @@ aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
 	ops.finalize_dec(&s->gdata_key, gdata_ctx, tmpdigest,
 			s->gen_digest_length);
 
-	return memcmp(digest, tmpdigest, s->req_digest_length) == 0 ? 0
-								    : EBADMSG;
+	return rte_timingsafe_memcmp(digest, tmpdigest, s->req_digest_length) != 0 ? EBADMSG : 0;
 }
 
 static inline void
diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
index a6c3f09b6f..81169e3518 100644
--- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
+++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c
@@ -1902,7 +1902,7 @@ verify_docsis_sec_crc(IMB_JOB *job, uint8_t *status)
 	crc = job->dst + crc_offset;
 
 	/* Verify CRC (at the end of the message) */
-	if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
+	if (rte_timingsafe_memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0)
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -1910,7 +1910,7 @@ static inline void
 verify_digest(IMB_JOB *job, void *digest, uint16_t len, uint8_t *status)
 {
 	/* Verify digest if required */
-	if (memcmp(job->auth_tag_output, digest, len) != 0)
+	if (rte_timingsafe_memcmp(job->auth_tag_output, digest, len) != 0)
 		*status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 }
 
@@ -2305,7 +2305,7 @@ verify_sync_dgst(struct rte_crypto_sym_vec *vec,
 
 	for (i = 0, k = 0; i != vec->num; i++) {
 		if (vec->status[i] == 0) {
-			if (memcmp(vec->digest[i].va, dgst[i], len) != 0)
+			if (rte_timingsafe_memcmp(vec->digest[i].va, dgst[i], len) != 0)
 				vec->status[i] = EBADMSG;
 			else
 				k++;
diff --git a/drivers/crypto/ipsec_mb/pmd_snow3g.c b/drivers/crypto/ipsec_mb/pmd_snow3g.c
index 65f0e5c568..79daf28119 100644
--- a/drivers/crypto/ipsec_mb/pmd_snow3g.c
+++ b/drivers/crypto/ipsec_mb/pmd_snow3g.c
@@ -269,7 +269,7 @@ process_snow3g_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 					&session->pKeySched_hash,
 					iv, src, length_in_bits, dst);
 			/* Verify digest. */
-			if (memcmp(dst, ops[i]->sym->auth.digest.data,
+			if (rte_timingsafe_memcmp(dst, ops[i]->sym->auth.digest.data,
 					SNOW3G_DIGEST_LENGTH) != 0)
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
diff --git a/drivers/crypto/ipsec_mb/pmd_zuc.c b/drivers/crypto/ipsec_mb/pmd_zuc.c
index 44781be1d1..b466d4178d 100644
--- a/drivers/crypto/ipsec_mb/pmd_zuc.c
+++ b/drivers/crypto/ipsec_mb/pmd_zuc.c
@@ -185,7 +185,7 @@ process_zuc_hash_op(struct ipsec_mb_qp *qp, struct rte_crypto_op **ops,
 	 */
 	for (i = 0; i < processed_ops; i++)
 		if (sessions[i]->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY)
-			if (memcmp(dst[i], ops[i]->sym->auth.digest.data,
+			if (rte_timingsafe_memcmp(dst[i], ops[i]->sym->auth.digest.data,
 					ZUC_DIGEST_LENGTH) != 0)
 				ops[i]->status =
 					RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
-- 
2.34.1

Re: [dpdk-dev v5 1/2] eal: introduce rte_timingsafe_memcmp() based on OpenBSD API

[Bruce Richardson]

On Wed, Oct 01, 2025 at 03:32:41PM +0000, Kai Ji wrote:
> Bugzilla ID: 1773
> https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  lib/eal/include/rte_memory.h | 38 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 38 insertions(+)
> 
> diff --git a/lib/eal/include/rte_memory.h b/lib/eal/include/rte_memory.h
> index dcc0e69cfe..6939c1caad 100644
> --- a/lib/eal/include/rte_memory.h
> +++ b/lib/eal/include/rte_memory.h
> @@ -746,6 +746,44 @@ __rte_experimental
>  void
>  rte_memzero_explicit(void *dst, size_t sz);
>  
> +/**
> + * @warning
> + * @b EXPERIMENTAL: this API may change without prior notice.
> + *
> + * Constant-time memory comparison.
> + *
> + * This function compares two memory regions in constant time, making it
> + * resistant to timing side-channel attacks. The execution time depends only
> + * on the length parameter, not on the actual data values being compared.
> + *
> + * This is particularly important for cryptographic operations where timing
> + * differences could leak information about secret keys, passwords, or other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   0 if the memory regions are identical, non-zero if they differ
> + */
> +__rte_experimental
> +static inline int
> +rte_timingsafe_memcmp(const void *a, const void *b, size_t n)
> +{
> +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> +	uint8_t result = 0;
> +	size_t i;
> +
> +	for (i = 0; i < n; i++)
> +		result |= pa[i] ^ pb[i];
> +
> +	return result;
> +}
> +

Just wondering if it's worth doing:

#ifdef RTE_EXEC_ENV_FREEBSD
#define rte_timingsafe_memcmp timingsafe_memcmp
#else
...
#endif

to use the OS-provided function where possible.

/Bruce

Re: [dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() to prevent timing attacks memcmp.

[Stephen Hemminger]

On Fri, 26 Sep 2025 15:49:04 +0000
Kai Ji <kai.ji@intel.com> wrote:

> Bugzilla ID: 1773
> Cc: stable@dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
>  1 file changed, 34 insertions(+)
> 
> diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> index 9e7d84f929..ddbba083be 100644
> --- a/lib/eal/include/rte_common.h
> +++ b/lib/eal/include/rte_common.h
> @@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict ptr, const unsigned int align)
>  	return ((uintptr_t)ptr & (align - 1)) == 0;
>  }
>  
> +/**
> + * Constant-time memory inequality comparison.
> + *
> + * This function compares two memory regions in constant time, making it
> + * resistant to timing side-channel attacks. The execution time depends only
> + * on the length parameter, not on the actual data values being compared.
> + *
> + * This is particularly important for cryptographic operations where timing
> + * differences could leak information about secret keys, passwords, or other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   false if the memory regions are identical, true if they differ
> + */
> +static inline bool
> +rte_consttime_memneq(const void *a, const void *b, size_t n)
> +{
> +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> +	uint8_t result = 0;
> +	size_t i;
> +
> +	for (i = 0; i < n; i++)
> +		result |= pa[i] ^ pb[i];
> +
> +	return result != 0;
> +}

New functions usually have to be marked experimental.

Since DPDK adopts many things from FreeBSD, perhaps the function
should use the same naming conventions. That would mean

int rte_consttime_memequal(void *, void *, size_t len);

And will also need to update release notes.

Re: [dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() to prevent timing attacks memcmp.

[Bruce Richardson]

On Fri, Sep 26, 2025 at 11:07:52AM -0700, Stephen Hemminger wrote:
> On Fri, 26 Sep 2025 15:49:04 +0000
> Kai Ji <kai.ji@intel.com> wrote:
> 
> > Bugzilla ID: 1773
> > Cc: stable@dpdk.org
> > 
> > [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> > 
> > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > ---
> >  lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
> >  1 file changed, 34 insertions(+)
> > 
> > diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> > index 9e7d84f929..ddbba083be 100644
> > --- a/lib/eal/include/rte_common.h
> > +++ b/lib/eal/include/rte_common.h
> > @@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict ptr, const unsigned int align)
> >  	return ((uintptr_t)ptr & (align - 1)) == 0;
> >  }
> >  
> > +/**
> > + * Constant-time memory inequality comparison.
> > + *
> > + * This function compares two memory regions in constant time, making it
> > + * resistant to timing side-channel attacks. The execution time depends only
> > + * on the length parameter, not on the actual data values being compared.
> > + *
> > + * This is particularly important for cryptographic operations where timing
> > + * differences could leak information about secret keys, passwords, or other
> > + * sensitive data.
> > + *
> > + * @param a
> > + *   Pointer to the first memory region to compare
> > + * @param b
> > + *   Pointer to the second memory region to compare
> > + * @param n
> > + *   Number of bytes to compare
> > + * @return
> > + *   false if the memory regions are identical, true if they differ
> > + */
> > +static inline bool
> > +rte_consttime_memneq(const void *a, const void *b, size_t n)
> > +{
> > +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> > +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> > +	uint8_t result = 0;
> > +	size_t i;
> > +
> > +	for (i = 0; i < n; i++)
> > +		result |= pa[i] ^ pb[i];
> > +
> > +	return result != 0;
> > +}
> 
> New functions usually have to be marked experimental.
> 
> Since DPDK adopts many things from FreeBSD, perhaps the function
> should use the same naming conventions. That would mean
> 
> int rte_consttime_memequal(void *, void *, size_t len);
> 
> And will also need to update release notes.

+1 for removing the "not" from the name which avoids having double
negatives in conditionals. Also agree with keeping consistency with BSD
name.

/Bruce

Re: [dpdk-dev v2 1/2] eal: Add rte_consttime_memsq() to prevent timing attacks memcmp.

[Stephen Hemminger]

On Fri, 26 Sep 2025 15:49:04 +0000
Kai Ji <kai.ji@intel.com> wrote:

> Bugzilla ID: 1773
> Cc: stable@dpdk.org
> 
> [0] https://bugs.dpdk.org/show_bug.cgi?id=1773
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  lib/eal/include/rte_common.h | 34 ++++++++++++++++++++++++++++++++++
>  1 file changed, 34 insertions(+)
> 
> diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> index 9e7d84f929..ddbba083be 100644
> --- a/lib/eal/include/rte_common.h
> +++ b/lib/eal/include/rte_common.h
> @@ -700,6 +700,40 @@ rte_is_aligned(const void * const __rte_restrict ptr, const unsigned int align)
>  	return ((uintptr_t)ptr & (align - 1)) == 0;
>  }
>  
> +/**
> + * Constant-time memory inequality comparison.
> + *
> + * This function compares two memory regions in constant time, making it
> + * resistant to timing side-channel attacks. The execution time depends only
> + * on the length parameter, not on the actual data values being compared.
> + *
> + * This is particularly important for cryptographic operations where timing
> + * differences could leak information about secret keys, passwords, or other
> + * sensitive data.
> + *
> + * @param a
> + *   Pointer to the first memory region to compare
> + * @param b
> + *   Pointer to the second memory region to compare
> + * @param n
> + *   Number of bytes to compare
> + * @return
> + *   false if the memory regions are identical, true if they differ
> + */
> +static inline bool
> +rte_consttime_memneq(const void *a, const void *b, size_t n)
> +{
> +	const volatile uint8_t *pa = (const volatile uint8_t *)a;
> +	const volatile uint8_t *pb = (const volatile uint8_t *)b;
> +	uint8_t result = 0;
> +	size_t i;
> +
> +	for (i = 0; i < n; i++)
> +		result |= pa[i] ^ pb[i];
> +
> +	return result != 0;
> +}
> +
>  /*********** Macros for compile type checks ********/
>  
>  /* Workaround for toolchain issues with missing C11 macro in FreeBSD */

Also need functional tests for any new function in the functional test suites.
Just some basic tests, suggest using random data, and lengths; validate with memcmp.
And/or see what freebsd already has.