net/tcp-ao: Fix MAC comparison to be constant-time

To prevent timing attacks, MACs need to be compared in constant
time.  Use the appropriate helper function for this.

Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Link: https://patch.msgid.link/20260302203600.13561-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index b71c22475c515ffc64fd886fab2f748d8ab9b253..3ab6247be58530104d0bd87c48d6fff9ce0144dd 100644 (file)
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -748,6 +748,7 @@ config TCP_SIGPOOL
 config TCP_AO
        bool "TCP: Authentication Option (RFC5925)"
        select CRYPTO
+       select CRYPTO_LIB_UTILS
        select TCP_SIGPOOL
        depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
        help

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 4980caddb0fc49be6507ad557d431fc8f4a3f6b8..a97cdf3e6af4cf1ee1cd8c6361944536056543e6 100644 (file)
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -10,6 +10,7 @@
 #define pr_fmt(fmt) "TCP: " fmt
 
 #include <crypto/hash.h>
+#include <crypto/utils.h>
 #include <linux/inetdevice.h>
 #include <linux/tcp.h>
 
@@ -922,7 +923,7 @@ tcp_ao_verify_hash(const struct sock *sk, const struct sk_buff *skb,
        /* XXX: make it per-AF callback? */
        tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
                        (phash - (u8 *)th), sne);
-       if (memcmp(phash, hash_buf, maclen)) {
+       if (crypto_memneq(phash, hash_buf, maclen)) {
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
                atomic64_inc(&info->counters.pkt_bad);
                atomic64_inc(&key->pkt_bad);