@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good)

     }

 }

+/**

+ * Compare src buffer contents with match.

+ * *NOT* constant time. Do not use when comparing HMACs.

+ */

 static inline bool

 buf_string_match (const struct buffer *src, const void *match, int size)

 {

@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size)

   return memcmp (BPTR (src), match, size) == 0;

 }

+/**

+ * Compare first size bytes of src buffer contents with match.

+ * *NOT* constant time. Do not use when comparing HMACs.

+ */

 static inline bool

 buf_string_match_head (const struct buffer *src, const void *match, int size)

 {

@@ -65,6 +65,24 @@

 #define CRYPT_ERROR(format) \

   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)

+/**

+ * As memcmp(), but constant-time.

+ * Returns 0 when data is equal, non-zero otherwise.

+ */

+static int

+memcmp_constant_time (const void *a, const void *b, size_t size) {

+  const uint8_t * a1 = a;

+  const uint8_t * b1 = b;

+  int ret = 0;

+  size_t i;

+

+  for (i = 0; i < size; i++) {

+      ret |= *a1++ ^ *b1++;

+  }

+

+  return ret;

+}

+

 void

 openvpn_encrypt (struct buffer *buf, struct buffer work,

 		 const struct crypto_options *opt,

@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,

 	  hmac_ctx_final (ctx->hmac, local_hmac);

 	  /* Compare locally computed HMAC with packet HMAC */

-	  if (memcmp (local_hmac, BPTR (buf), hmac_len))

+	  if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))

 	    CRYPT_ERROR ("packet HMAC authentication failed");

 	  ASSERT (buf_advance (buf, hmac_len));