From 424cd6943c82b7efe22833125ed082f8d569fcd4 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Thu, 31 Oct 2013 14:22:08 +0100
Subject: [PATCH] Check HMAC in constant-time in crypt_and_hash

---
 programs/aes/crypt_and_hash.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index d2845de88..50218e164 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -76,6 +76,7 @@ int main( int argc, char *argv[] )
     unsigned char digest[POLARSSL_MD_MAX_SIZE];
     unsigned char buffer[1024];
     unsigned char output[1024];
+    unsigned char diff;
 
     const cipher_info_t *cipher_info;
     const md_info_t *md_info;
@@ -476,7 +477,12 @@ int main( int argc, char *argv[] )
             goto exit;
         }
 
-        if( memcmp( digest, buffer, md_get_size( md_info ) ) != 0 )
+        /* Use constant-time buffer comparison */
+        diff = 0;
+        for( i = 0; i < md_get_size( md_info ); i++ )
+            diff |= digest[i] ^ buffer[i];
+
+        if( diff != 0 )
         {
             fprintf( stderr, "HMAC check failed: wrong key, "
                              "or file corrupted.\n" );