From a96436a6d58884f8284211e7fa72d8cbd514c2d0 Mon Sep 17 00:00:00 2001
From: Stephen Waits <steve@waits.net>
Date: Mon, 11 May 2026 17:22:42 -0600
Subject: [PATCH] fix(crypto): constant-time MAC compare

---
 src/Utils.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Utils.cpp b/src/Utils.cpp
index 186c8720a2..f32b49c099 100644
--- a/src/Utils.cpp
+++ b/src/Utils.cpp
@@ -81,7 +81,11 @@ int Utils::MACThenDecrypt(const uint8_t* shared_secret, uint8_t* dest, const uin
     sha.update(src + CIPHER_MAC_SIZE, src_len - CIPHER_MAC_SIZE);
     sha.finalizeHMAC(shared_secret, PUB_KEY_SIZE, hmac, CIPHER_MAC_SIZE);
   }
-  if (memcmp(hmac, src, CIPHER_MAC_SIZE) == 0) {
+  // Constant-time MAC compare: memcmp() returns at the first non-matching byte,
+  // leaking byte-of-first-mismatch via timing.
+  uint8_t diff = 0;
+  for (int k = 0; k < CIPHER_MAC_SIZE; k++) diff |= hmac[k] ^ src[k];
+  if (diff == 0) {
     return decrypt(shared_secret, dest, src + CIPHER_MAC_SIZE, src_len - CIPHER_MAC_SIZE);
   }
   return 0; // invalid HMAC