server: Compare MAC tags in constant time.

[tripe] / server / keyset.c

diff --git a/server/keyset.c b/server/keyset.c
index 898c55a..66a5961 100644 (file)
--- a/server/keyset.c
+++ b/server/keyset.c
@@ -28,11 +28,6 @@
 
 #include "tripe.h"
 
-/*----- Tunable parameters ------------------------------------------------*/
-
-#define T_EXP MIN(60)                  /* Expiry time for a key */
-#define T_REGEN MIN(45)                        /* Regeneration time for a key */
-
 /*----- Handy macros ------------------------------------------------------*/
 
 #define KEYOK(ks, now) ((ks)->sz_exp > 0 && (ks)->t_exp > now)
@@ -206,7 +201,7 @@ static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
     GH_HASH(h, t, sizeof(t));
     GH_HASH(h, pseq, SEQSZ + ivsz + sz);
     mac = GH_DONE(h, 0);
-    eq = !memcmp(mac, pmac, tagsz);
+    eq = ct_memeq(mac, pmac, tagsz);
     IF_TRACING(T_KEYSET, {
       trace_block(T_CRYPTO, "crypto: computed MAC", mac, tagsz);
     })
@@ -359,15 +354,6 @@ keyset *ks_gen(const void *k, size_t x, size_t y, size_t z, peer *p)
   return (ks);
 }
 
-/* --- @ks_tregen@ --- *
- *
- * Arguments:  @keyset *ks@ = pointer to a keyset
- *
- * Returns:    The time at which moves ought to be made to replace this key.
- */
-
-time_t ks_tregen(keyset *ks) { return (ks->t_exp - T_EXP + T_REGEN); }
-
 /* --- @ks_activate@ --- *
  *
  * Arguments:  @keyset *ks@ = pointer to a keyset