From 5654c593dfd41b756d3239b2108f51349a4ee18d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 8 Jan 2026 12:46:56 +0100
Subject: [PATCH] ed25519: Avoid timing leak when comparing private keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This affects libgcrypt and mbedTLS backends. The OpenSSL backend is
using OpenSSL implementation of the Ed25519 which is compared correctly.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
---
 src/pki_ed25519.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c
index 636b872e..f3954064 100644
--- a/src/pki_ed25519.c
+++ b/src/pki_ed25519.c
@@ -104,9 +104,9 @@ pki_ed25519_key_cmp(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what)
         }
         /* In the internal implementation, the private key is the concatenation
          * of the private seed with the public key. */
-        cmp = memcmp(k1->ed25519_privkey,
-                     k2->ed25519_privkey,
-                     2 * ED25519_KEY_LEN);
+        cmp = secure_memcmp(k1->ed25519_privkey,
+                            k2->ed25519_privkey,
+                            2 * ED25519_KEY_LEN);
         if (cmp != 0) {
             return 1;
         }