1. Patchew
  2. linux
  3. View series

[PATCH net] net/tcp-ao: Fix MAC comparison to be constant-time

Eric Biggers posted 1 patch 4 hours ago 
net/ipv4/Kconfig  | 1 +
net/ipv4/tcp_ao.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
[PATCH net] net/tcp-ao: Fix MAC comparison to be constant-time
Posted by Eric Biggers 4 hours ago 
To prevent timing attacks, MACs need to be compared in constant
time.  Use the appropriate helper function for this.

Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
Cc: stable@vger.kernel.org
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 net/ipv4/Kconfig  | 1 +
 net/ipv4/tcp_ao.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index b71c22475c515..3ab6247be5853 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -746,10 +746,11 @@ config TCP_SIGPOOL
 	tristate
 
 config TCP_AO
 	bool "TCP: Authentication Option (RFC5925)"
 	select CRYPTO
+	select CRYPTO_LIB_UTILS
 	select TCP_SIGPOOL
 	depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
 	help
 	  TCP-AO specifies the use of stronger Message Authentication Codes (MACs),
 	  protects against replays for long-lived TCP connections, and
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 4980caddb0fc4..a97cdf3e6af4c 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -8,10 +8,11 @@
  *		Salam Noureddine <noureddine@arista.com>
  */
 #define pr_fmt(fmt) "TCP: " fmt
 
 #include <crypto/hash.h>
+#include <crypto/utils.h>
 #include <linux/inetdevice.h>
 #include <linux/tcp.h>
 
 #include <net/tcp.h>
 #include <net/ipv6.h>
@@ -920,11 +921,11 @@ tcp_ao_verify_hash(const struct sock *sk, const struct sk_buff *skb,
 		return SKB_DROP_REASON_NOT_SPECIFIED;
 
 	/* XXX: make it per-AF callback? */
 	tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
 			(phash - (u8 *)th), sne);
-	if (memcmp(phash, hash_buf, maclen)) {
+	if (crypto_memneq(phash, hash_buf, maclen)) {
 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
 		atomic64_inc(&info->counters.pkt_bad);
 		atomic64_inc(&key->pkt_bad);
 		trace_tcp_ao_mismatch(sk, skb, aoh->keyid,
 				      aoh->rnext_keyid, maclen);

base-commit: 9439a661c2e80485406ce2c90b107ca17858382d
-- 
2.53.0
Re: [PATCH net] net/tcp-ao: Fix MAC comparison to be constant-time
Posted by Dmitry Safonov 4 hours ago 
On Mon, 2 Mar 2026 at 20:36, Eric Biggers <ebiggers@kernel.org> wrote:
>
> To prevent timing attacks, MACs need to be compared in constant
> time.  Use the appropriate helper function for this.
>
> Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
> Cc: stable@vger.kernel.org
> Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Thanks, Eric, LGTM.

Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

Could you also send a similar patch for TCP-MD5?
tcp_inbound_md5_hash(), tcp_v{4,6}_send_reset() would need the same change.

> ---
>  net/ipv4/Kconfig  | 1 +
>  net/ipv4/tcp_ao.c | 3 ++-
>  2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
> index b71c22475c515..3ab6247be5853 100644
> --- a/net/ipv4/Kconfig
> +++ b/net/ipv4/Kconfig
> @@ -746,10 +746,11 @@ config TCP_SIGPOOL
>         tristate
>
>  config TCP_AO
>         bool "TCP: Authentication Option (RFC5925)"
>         select CRYPTO
> +       select CRYPTO_LIB_UTILS
>         select TCP_SIGPOOL
>         depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64)
>         help
>           TCP-AO specifies the use of stronger Message Authentication Codes (MACs),
>           protects against replays for long-lived TCP connections, and
> diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
> index 4980caddb0fc4..a97cdf3e6af4c 100644
> --- a/net/ipv4/tcp_ao.c
> +++ b/net/ipv4/tcp_ao.c
> @@ -8,10 +8,11 @@
>   *             Salam Noureddine <noureddine@arista.com>
>   */
>  #define pr_fmt(fmt) "TCP: " fmt
>
>  #include <crypto/hash.h>
> +#include <crypto/utils.h>
>  #include <linux/inetdevice.h>
>  #include <linux/tcp.h>
>
>  #include <net/tcp.h>
>  #include <net/ipv6.h>
> @@ -920,11 +921,11 @@ tcp_ao_verify_hash(const struct sock *sk, const struct sk_buff *skb,
>                 return SKB_DROP_REASON_NOT_SPECIFIED;
>
>         /* XXX: make it per-AF callback? */
>         tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key,
>                         (phash - (u8 *)th), sne);
> -       if (memcmp(phash, hash_buf, maclen)) {
> +       if (crypto_memneq(phash, hash_buf, maclen)) {
>                 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
>                 atomic64_inc(&info->counters.pkt_bad);
>                 atomic64_inc(&key->pkt_bad);
>                 trace_tcp_ao_mismatch(sk, skb, aoh->keyid,
>                                       aoh->rnext_keyid, maclen);
>
> base-commit: 9439a661c2e80485406ce2c90b107ca17858382d
> --
> 2.53.0
>
Re: [PATCH net] net/tcp-ao: Fix MAC comparison to be constant-time
Posted by Eric Biggers 4 hours ago 
On Mon, Mar 02, 2026 at 08:59:50PM +0000, Dmitry Safonov wrote:
> On Mon, 2 Mar 2026 at 20:36, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > To prevent timing attacks, MACs need to be compared in constant
> > time.  Use the appropriate helper function for this.
> >
> > Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
> > Cc: stable@vger.kernel.org
> > Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> 
> Thanks, Eric, LGTM.
> 
> Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
> 
> Could you also send a similar patch for TCP-MD5?
> tcp_inbound_md5_hash(), tcp_v{4,6}_send_reset() would need the same change.

Already done, it was the first one I sent:
https://lore.kernel.org/netdev/20260302203409.13388-1-ebiggers@kernel.org/

- Eric

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.