From 0fc5b6d312fea35d788e92ffc5a6dc32638d32bc Mon Sep 17 00:00:00 2001
From: kenjiro <>
Date: Tue, 3 Jun 2025 08:42:15 +0000
Subject: Use timingsafe_memcmp when comparing authenticators

Replace memcmp() with timingsafe_memcmp() for authentication tag
comparison in AES-CCM, GCM, PKCS12 and AES key unwrap code paths
to ensure constant-time behavior and avoid potential timing side
channels.

This aligns with OpenSSL 1e4a355.

ok tb@
---
 src/lib/libcrypto/aes/aes.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libcrypto/aes')

diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index 50e4ce13cc..e630c3f81a 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.8 2025/05/25 06:27:02 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.9 2025/06/03 08:42:15 kenjiro Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -341,7 +341,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
 	}
 	if (!iv)
 		iv = aes_wrap_default_iv;
-	if (memcmp(A, iv, 8)) {
+	if (timingsafe_memcmp(A, iv, 8) != 0) {
 		explicit_bzero(out, inlen);
 		return 0;
 	}
-- 
cgit v1.2.3-55-g6feb