Use constant-time comparison for checking MAC tags.

[udpkey] / udpkey.c

diff --git a/udpkey.c b/udpkey.c
index d8845e1..452a857 100644 (file)
--- a/udpkey.c
+++ b/udpkey.c
@@ -59,6 +59,7 @@
 #include <mLib/tv.h>
 
 #include <catacomb/buf.h>
+#include <catacomb/ct.h>
 #include <catacomb/dh.h>
 #include <catacomb/ec.h>
 #include <catacomb/ec-keys.h>
@@ -1044,7 +1045,7 @@ static int doquery(int argc, char *argv[])
        h = GM_INIT(m);
        GH_HASH(h, p, n);
        tt = GH_DONE(h, 0);
-       if (memcmp(t, tt, s->k.tagsz) != 0) {
+       if (!ct_memeq(t, tt, s->k.tagsz)) {
          moan("incorrect tag from %s:%d",
               inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
          goto again;