From 8892577296dba23fdd531d222e66b208b60f12c4 Mon Sep 17 00:00:00 2001
From: Dirkjan Bussink <d.bussink@gmail.com>
Date: Wed, 23 Apr 2014 17:27:10 -0700
Subject: [PATCH] Use constant time comparison function for HMAC comparison

Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
Reviewed-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 46d15b316103587e5c185d2af69e906477c35a8b)
---
 src/packet_crypt.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/packet_crypt.c b/src/packet_crypt.c
index 7306e4b3..ba1d4af9 100644
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -176,6 +176,17 @@ unsigned char *ssh_packet_encrypt(ssh_session session, void *data, uint32_t len)
   return session->current_crypto->hmacbuf;
 }
 
+static int secure_memcmp(const void *s1, const void *s2, size_t n)
+{
+    int rc = 0;
+    const unsigned char *p1 = s1;
+    const unsigned char *p2 = s2;
+    for (; n > 0; --n) {
+        rc |= *p1++ ^ *p2++;
+    }
+    return (rc != 0);
+}
+
 /**
  * @internal
  *
@@ -219,7 +230,7 @@ int ssh_packet_hmac_verify(ssh_session session,
   ssh_print_hexa("Computed mac",hmacbuf,len);
   ssh_print_hexa("seq",(unsigned char *)&seq,sizeof(uint32_t));
 #endif
-  if (memcmp(mac, hmacbuf, len) == 0) {
+  if (secure_memcmp(mac, hmacbuf, len) == 0) {
     return 0;
   }