From 0fc5b6d312fea35d788e92ffc5a6dc32638d32bc Mon Sep 17 00:00:00 2001
From: kenjiro <>
Date: Tue, 3 Jun 2025 08:42:15 +0000
Subject: Use timingsafe_memcmp when comparing authenticators

Replace memcmp() with timingsafe_memcmp() for authentication tag
comparison in AES-CCM, GCM, PKCS12 and AES key unwrap code paths
to ensure constant-time behavior and avoid potential timing side
channels.

This aligns with OpenSSL 1e4a355.

ok tb@
---
 src/lib/libcrypto/pkcs12/p12_mutl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/lib/libcrypto/pkcs12')

diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 513aa54ada..4a9d0f9757 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.40 2025/06/03 08:42:15 kenjiro Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -189,10 +189,10 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
 		PKCS12error(PKCS12_R_MAC_GENERATION_ERROR);
 		return 0;
 	}
-	if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) ||
-	    memcmp(mac, p12->mac->dinfo->digest->data, maclen))
+	if (maclen != (unsigned int)p12->mac->dinfo->digest->length)
 		return 0;
-	return 1;
+
+	return timingsafe_memcmp(mac, p12->mac->dinfo->digest->data, maclen) == 0;
 }
 LCRYPTO_ALIAS(PKCS12_verify_mac);
 
-- 
cgit v1.2.3-55-g6feb