Add constant time MAC verification

Will Cosgrove · Will Cosgrove · commit cfea34bcc2f8 · 2026-03-31T12:44:28.000-07:00
diff --git a/src/misc.c b/src/misc.c
@@ -966,3 +966,14 @@ int _libssh2_eob(struct string_buf *buf)
     unsigned char *endp = &buf->data[buf->len];
     return buf->dataptr >= endp;
 }
+
+int _libssh2_timingsafe_bcmp(const void *b1, const void *b2, size_t n)
+{
+    const unsigned char *p1 = (unsigned char *)b1;
+    const unsigned char *p2 = (unsigned char *)b2;
+    int ret = 0;
+
+    for(; n > 0; n--)
+        ret |= *p1++ ^ *p2++;
+    return (ret != 0);
+}
diff --git a/src/misc.h b/src/misc.h
@@ -141,4 +141,6 @@ void _libssh2_xor_data(unsigned char *output,
                        const unsigned char *input2,
                        size_t length);
 
+int _libssh2_timingsafe_bcmp(const void *b1, const void *b2, size_t n);
+
 #endif /* LIBSSH2_MISC_H */
diff --git a/src/transport.c b/src/transport.c
@@ -226,7 +226,9 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
              * buffer. Note that 'payload_len' here is the packet_length
              * field which includes the padding but not the MAC.
              */
-            if(memcmp(macbuf, p->payload + p->total_num - mac_len, mac_len)) {
+            if(_libssh2_timingsafe_bcmp(macbuf,
+                                        p->payload + p->total_num - mac_len,
+                                        mac_len)) {
                 _libssh2_debug((session, LIBSSH2_TRACE_SOCKET,
                                "Failed MAC check"));
                 session->fullpacket_macstate = LIBSSH2_MAC_INVALID;
