From d19325f59fd7a16b2759c55d0837d754c2f532f4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 22 May 2025 12:33:36 +0000
Subject: Use timingsafe_memcmp() in CRYPTO_gcm128_finish().

When checking the GCM tag, use timingsafe_memcmp() instead of memcmp().

ok tb@
---
 src/lib/libcrypto/modes/gcm128.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index ab3388cac8..5ac00b0b48 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.45 2025/05/21 12:12:42 jsing Exp $ */
+/* $OpenBSD: gcm128.c,v 1.46 2025/05/22 12:33:36 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -679,7 +679,7 @@ CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
 	ctx->Xi.u[1] ^= ctx->EK0.u[1];
 
 	if (tag && len <= sizeof(ctx->Xi))
-		return memcmp(ctx->Xi.c, tag, len);
+		return timingsafe_memcmp(ctx->Xi.c, tag, len);
 	else
 		return -1;
 }
-- 
cgit v1.2.3-55-g6feb