Constant time memcmp for the hmac and password crypt

dbutil.c

@@ -884,3 +884,16 @@ int m_str_to_uint(const char* str, unsigned int *val) {
 		return DROPBEAR_SUCCESS;
 	}
 }
+
+int constant_time_memcmp(const void* a, const void *b, size_t n)
+{
+	const char *xa = a, *xb = b;
+	uint8_t c = 0;
+	size_t i;
+	for (i = 0; i < n; i++)
+	{
+		c |= (xa[i] ^ xb[i]);
+	}
+	return c;
+}
+

dbutil.h

@@ -94,4 +94,7 @@ int m_str_to_uint(const char* str, unsigned int *val);
 /* Dropbear assertion */
 #define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
 
+/* Returns 0 if a and b have the same contents */
+int constant_time_memcmp(const void* a, const void *b, size_t n);
+
 #endif /* _DBUTIL_H_ */

packet.c

@@ -376,7 +376,7 @@ static int checkmac() {
 
 	/* compare the hash */
 	buf_setpos(ses.readbuf, contents_len);
-	if (memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) {
+	if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) {
 		return DROPBEAR_FAILURE;
 	} else {
 		return DROPBEAR_SUCCESS;

svr-authpasswd.c

@@ -33,6 +33,17 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+static int constant_time_strcmp(const char* a, const char* b) {
+	size_t la = strlen(a);
+	size_t lb = strlen(b);
+
+	if (la != lb) {
+		return 1;
+	}
+
+	return constant_time_memcmp(a, b, la);
+}
+
 /* Process a password auth request, sending success or failure messages as
  * appropriate */
 void svr_auth_password() {
@@ -82,7 +93,7 @@ void svr_auth_password() {
 		return;
 	}
 
-	if (strcmp(testcrypt, passwdcrypt) == 0) {
+	if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
 		/* successful authentication */
 		dropbear_log(LOG_NOTICE, 
 				"Password auth succeeded for '%s' from %s",