transport.c: use constant time function for MAC memcmp() (libssh2#1824)

willco007 · Will Cosgrove · web-flow · commit 39f14b876049 · 2026-03-31T15:33:29.000-07:00
Notes: libssh2 uses a non-constant-time memcmp() call at transport.c:229 to verify SSH MAC tags. An on-path attacker can measure per-byte rejection latency to iteratively recover the correct MAC value without knowledge of the secret key, enabling MAC forgery. Empirical testing on macOS with libssh2 1.11.1_1 yields a t-statistic of 106.78 (threshold >2), confirming the oracle is real and practical (estimated 445,659 probes for full 32-byte HMAC-SHA2-256 forgery under lab conditions). Credit: [Pramod Kumar](https://github.com/infosecninja) --------- Co-authored-by: Will Cosgrove <will@everydaysoftware.net>
diff --git a/src/misc.c b/src/misc.c
@@ -966,3 +966,14 @@ int _libssh2_eob(struct string_buf *buf)
     unsigned char *endp = &buf->data[buf->len];
     return buf->dataptr >= endp;
 }
+
+int _libssh2_timingsafe_bcmp(const void *b1, const void *b2, size_t n)
+{
+    const unsigned char *p1 = (const unsigned char *)b1;
+    const unsigned char *p2 = (const unsigned char *)b2;
+    int ret = 0;
+
+    for(; n > 0; n--)
+        ret |= *p1++ ^ *p2++;
+    return (ret != 0);
+}
diff --git a/src/misc.h b/src/misc.h
@@ -141,4 +141,6 @@ void _libssh2_xor_data(unsigned char *output,
                        const unsigned char *input2,
                        size_t length);
 
+int _libssh2_timingsafe_bcmp(const void *b1, const void *b2, size_t n);
+
 #endif /* LIBSSH2_MISC_H */
diff --git a/src/transport.c b/src/transport.c
@@ -226,7 +226,9 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
              * buffer. Note that 'payload_len' here is the packet_length
              * field which includes the padding but not the MAC.
              */
-            if(memcmp(macbuf, p->payload + p->total_num - mac_len, mac_len)) {
+            if(_libssh2_timingsafe_bcmp(macbuf,
+                                        p->payload + p->total_num - mac_len,
+                                        mac_len)) {
                 _libssh2_debug((session, LIBSSH2_TRACE_SOCKET,
                                "Failed MAC check"));
                 session->fullpacket_macstate = LIBSSH2_MAC_INVALID;
