ipv6: sr: Fix MAC comparison to be constant-time

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.

Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20250818202724.15713-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Eric Biggers and committed by

Jakub Kicinski 7 months ago a458b290 7af76e9d

+2 -1

1 changed file

expand all

net

ipv6

seg6_hmac.c

+2 -1

net/ipv6/seg6_hmac.c

··· 35 35 #include <net/xfrm.h> 36 36 37 37 #include <crypto/hash.h> 38 + #include <crypto/utils.h> 38 39 #include <net/seg6.h> 39 40 #include <net/genetlink.h> 40 41 #include <net/seg6_hmac.h> ··· 281 280 if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output)) 282 281 return false; 283 282 284 - if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0) 283 + if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN)) 285 284 return false; 286 285 287 286 return true;