[dpdk-stable] patch 'crypto/openssl: fix usage of non constant time memcmp' has been queued to LTS release 18.11.3

Kevin Traynor ktraynor at redhat.com
Tue Aug 27 11:30:01 CEST 2019 

Hi,

FYI, your patch has been queued to LTS release 18.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 09/03/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/76659ab156f8e758946c80184b6db2b3460953e0

Thanks.

Kevin Traynor

---
>From 76659ab156f8e758946c80184b6db2b3460953e0 Mon Sep 17 00:00:00 2001
From: Arek Kusztal <arkadiuszx.kusztal at intel.com>
Date: Fri, 31 May 2019 08:59:28 +0200
Subject: [PATCH] crypto/openssl: fix usage of non constant time memcmp

[ upstream commit a3f9fededfca6758abb751d67b11cda660a3399a ]

ANSI C memcmp is not constant time function per spec so it should
be avoided in cryptography usage.

Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")

Signed-off-by: Arek Kusztal <arkadiuszx.kusztal at intel.com>
Acked-by: Fiona Trahe <fiona.trahe at intel.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5b27bb919..d072d8084 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1529,5 +1529,5 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
-		if (memcmp(dst, op->sym->auth.digest.data,
+		if (CRYPTO_memcmp(dst, op->sym->auth.digest.data,
 				sess->auth.digest_length) != 0) {
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
@@ -1921,5 +1921,5 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 				"length of message %zd\n",
 				ret, op->rsa.message.length);
-		if ((ret <= 0) || (memcmp(tmp, op->rsa.message.data,
+		if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
 				op->rsa.message.length))) {
 			OPENSSL_LOG(ERR, "RSA sign Verification failed");
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-08-27 09:40:12.226239776 +0100
+++ 0024-crypto-openssl-fix-usage-of-non-constant-time-memcmp.patch	2019-08-27 09:40:10.907144704 +0100
@@ -1 +1 @@
-From a3f9fededfca6758abb751d67b11cda660a3399a Mon Sep 17 00:00:00 2001
+From 76659ab156f8e758946c80184b6db2b3460953e0 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit a3f9fededfca6758abb751d67b11cda660a3399a ]
+
@@ -10 +11,0 @@
-Cc: stable at dpdk.org
@@ -19 +20 @@
-index 6504959e6..73ce3833c 100644
+index 5b27bb919..d072d8084 100644
@@ -22 +23 @@
-@@ -1530,5 +1530,5 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
+@@ -1529,5 +1529,5 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -29 +30 @@
-@@ -1915,5 +1915,5 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
+@@ -1921,5 +1921,5 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,

More information about the stable mailing list