[gentoo-commits] repo/gentoo:master commit in: net-misc/dhcpcd/files/, net-misc/dhcpcd/

["Lars Wendler" <polynomial-c@gentoo.org>]

commit:     e9b5b1738178ec8da65c5371a1a9977d593a459d
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 26 15:01:47 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Apr 26 15:07:21 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9b5b173

net-misc/dhcpcd: Security bump to versions 7.1.1-r2 and 7.2.1

Bug: https://bugs.gentoo.org/684430
Package-Manager: Portage-2.3.65, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-misc/dhcpcd/Manifest                           |   1 +
 net-misc/dhcpcd/dhcpcd-7.1.1-r2.ebuild             | 153 +++++++++++++++
 net-misc/dhcpcd/dhcpcd-7.2.1.ebuild                | 148 ++++++++++++++
 net-misc/dhcpcd/files/dhcpcd-7.1.1-overflows.patch | 213 +++++++++++++++++++++
 4 files changed, 515 insertions(+)

diff --git a/net-misc/dhcpcd/Manifest b/net-misc/dhcpcd/Manifest
index 46dec13be6d..1085dcb6737 100644
--- a/net-misc/dhcpcd/Manifest
+++ b/net-misc/dhcpcd/Manifest
@@ -2,3 +2,4 @@ DIST dhcpcd-7.0.1.tar.xz 207908 BLAKE2B 1a9350a0c4a9eb1eb6f5a7be78beb4a5fecd802e
 DIST dhcpcd-7.0.8.tar.xz 210752 BLAKE2B ad8ba622589cc1c8c4bb332470c59527e03c817729f43a5b55b4f53f8ed60f35faaffbff24416f8596e78df8deb304f0598e27d890e9601d36c81250fda99942 SHA512 82cd845eb35670788b8f31b973945460f4c5f1a0a3025e3a452b79230dc30704e129d97140e6aec6d0281e0c89c333c0ce0af03c4767b2e5e66547ed3e071953
 DIST dhcpcd-7.1.1.tar.xz 211788 BLAKE2B 984ec97ffdcb15883f57f9e2a699a7c8f006b2630e7651ab9d55e7a980045f8891f09d9f7be420969203a59671d097a1ed76621fe4a62ff26a5020fc8becfe69 SHA512 8791e718d65ef8ae23a16b98e82824860fa91914e6eb0a42cdbbca28236c1c38005ada44214bde33aac57152fe675debebdb5d141b67dcfc82012996d8337bb4
 DIST dhcpcd-7.2.0.tar.xz 212532 BLAKE2B c8768df8006d517d0082f08c6ceebfe5a31695485d32d477acc1c4b9bfce8541110388f186c2ef94642e0692c279fc6d89239cbd8ac07d6ed248e67721c07db5 SHA512 2ab7df53ed42cd7a274bbc9cfb9dca43a8615d9044c0e9f460c41f064ad012b436bf2fe2648dd2738e66aaefc72412cad6c59444631b650f942cba168127a79d
+DIST dhcpcd-7.2.1.tar.xz 213652 BLAKE2B cae5a68ecf285825e6376c8b5bef5f3aba3bb8a393ba4298d8e990d665dd948369f24f688cdb85006df535b7f9b412c795d8eb7817a92e8d9992bdc7b7757a1e SHA512 11c3ef6d3ee49e147aa44725aa1ac0cddff70a268908439fe91990e135175d063e3d65ab587e1780e4f6f0739cf33873a58ffea0a3130d1bfb5598f9f11ec5a3

diff --git a/net-misc/dhcpcd/dhcpcd-7.1.1-r2.ebuild b/net-misc/dhcpcd/dhcpcd-7.1.1-r2.ebuild
new file mode 100644
index 00000000000..ff35a7a23d7
--- /dev/null
+++ b/net-misc/dhcpcd/dhcpcd-7.1.1-r2.ebuild
@@ -0,0 +1,153 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit systemd toolchain-funcs
+
+if [[ ${PV} == "9999" ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://roy.marples.name/git/dhcpcd.git"
+else
+	MY_P="${P/_alpha/-alpha}"
+	MY_P="${MY_P/_beta/-beta}"
+	MY_P="${MY_P/_rc/-rc}"
+	SRC_URI="https://roy.marples.name/downloads/${PN}/${MY_P}.tar.xz"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+	S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="A fully featured, yet light weight RFC2131 compliant DHCP client"
+HOMEPAGE="https://roy.marples.name/projects/dhcpcd"
+LICENSE="BSD-2"
+SLOT="0"
+IUSE="elibc_glibc +embedded ipv6 kernel_linux +udev"
+
+COMMON_DEPEND="udev? ( virtual/udev )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-disable_inet6_fix.patch #677508
+	"${FILESDIR}"/${PN}-7.1.1-overflows.patch
+)
+
+src_configure() {
+	local dev hooks=() rundir
+	use udev || dev="--without-dev --without-udev"
+	hooks=( --with-hook=ntp.conf )
+	use elibc_glibc && hooks+=( --with-hook=yp.conf )
+	use kernel_linux && rundir="--rundir=${EPREFIX}/run"
+	local myeconfargs=(
+		--prefix="${EPREFIX}"
+		--libexecdir="${EPREFIX}/lib/dhcpcd"
+		--dbdir="${EPREFIX}/var/lib/dhcpcd"
+		--localstatedir="${EPREFIX}/var"
+		${rundir}
+		$(use_enable embedded)
+		$(use_enable ipv6)
+		${dev}
+		CC="$(tc-getCC)"
+		${hooks[@]}
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+	keepdir /var/lib/dhcpcd
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
+}
+
+pkg_postinst() {
+	local dbdir="${EROOT%/}"/var/lib/dhcpcd old_files=()
+
+	local old_old_duid="${EROOT%/}"/var/lib/dhcpcd/dhcpcd.duid
+	local old_duid="${EROOT%/}"/etc/dhcpcd.duid
+	local new_duid="${dbdir}"/duid
+	if [[ -e "${old_old_duid}" ]] ; then
+		# Upgrade the duid file to the new format if needed
+		if ! grep -q '..:..:..:..:..:..' "${old_old_duid}"; then
+			sed -i -e 's/\(..\)/\1:/g; s/:$//g' "${old_old_duid}"
+		fi
+
+		# Move the duid to /etc, a more sensible location
+		if [[ ! -e "${old_duid}" ]] ; then
+			cp -p "${old_old_duid}" "${new_duid}"
+		fi
+		old_files+=( "${old_old_duid}" )
+	fi
+
+	# dhcpcd-7 moves the files out of /etc
+	if [[ -e "${old_duid}" ]] ; then
+		if [[ ! -e "${new_duid}" ]] ; then
+			cp -p "${old_duid}" "${new_duid}"
+		fi
+		old_files+=( "${old_duid}" )
+	fi
+	local old_secret="${EROOT%/}"/etc/dhcpcd.secret
+	local new_secret="${dbdir}"/secret
+	if [[ -e "${old_secret}" ]] ; then
+		if [[ ! -e "${new_secret}" ]] ; then
+			cp -p "${old_secret}" "${new_secret}"
+		fi
+		old_files+=( "${old_secret}" )
+	fi
+
+	# dhcpcd-7 renames some files in /var/lib/dhcpcd
+	local old_rdm="${dbdir}"/dhcpcd-rdm.monotonic
+	local new_rdm="${dbdir}"/rdm_monotonic
+	if [[ -e "${old_rdm}" ]] ; then
+		if [[ ! -e "${new_rdm}" ]] ; then
+			cp -p "${old_rdm}" "${new_rdm}"
+		fi
+		old_files+=( "${old_rdm}" )
+	fi
+	local lease=
+	for lease in "${dbdir}"/dhcpcd-*.lease*; do
+		[[ -f "${lease}" ]] || continue
+		old_files+=( "${lease}" )
+		local new_lease=$(basename "${lease}" | sed -e "s/dhcpcd-//")
+		[[ -e "${dbdir}/${new_lease}" ]] && continue
+		cp "${lease}" "${dbdir}/${new_lease}"
+	done
+
+	# Warn about removing stale files
+	if [[ -n "${old_files[@]}" ]] ; then
+		elog
+		elog "dhcpcd-7 has copied dhcpcd.duid and dhcpcd.secret from"
+		elog "${EROOT%/}/etc to ${dbdir}"
+		elog "and copied leases in ${dbdir} to new files with the dhcpcd-"
+		elog "prefix dropped."
+		elog
+		elog "You should remove these files if you don't plan on reverting"
+		elog "to an older version:"
+		local old_file=
+		for old_file in ${old_files[@]}; do
+			elog "	${old_file}"
+		done
+	fi
+
+	if [ -z "${REPLACING_VERSIONS}" ]; then
+		elog
+		elog "dhcpcd has zeroconf support active by default."
+		elog "This means it will always obtain an IP address even if no"
+		elog "DHCP server can be contacted, which will break any existing"
+		elog "failover support you may have configured in your net configuration."
+		elog "This behaviour can be controlled with the noipv4ll configuration"
+		elog "file option or the -L command line switch."
+		elog "See the dhcpcd and dhcpcd.conf man pages for more details."
+
+		elog
+		elog "Dhcpcd has duid enabled by default, and this may cause issues"
+		elog "with some dhcp servers. For more information, see"
+		elog "https://bugs.gentoo.org/show_bug.cgi?id=477356"
+	fi
+
+	if ! has_version net-dns/bind-tools; then
+		elog
+		elog "If you activate the lookup-hostname hook to look up your hostname"
+		elog "using the dns, you need to install net-dns/bind-tools."
+	fi
+}

diff --git a/net-misc/dhcpcd/dhcpcd-7.2.1.ebuild b/net-misc/dhcpcd/dhcpcd-7.2.1.ebuild
new file mode 100644
index 00000000000..48ba26275d0
--- /dev/null
+++ b/net-misc/dhcpcd/dhcpcd-7.2.1.ebuild
@@ -0,0 +1,148 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit systemd toolchain-funcs
+
+if [[ ${PV} == "9999" ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://roy.marples.name/git/dhcpcd.git"
+else
+	MY_P="${P/_alpha/-alpha}"
+	MY_P="${MY_P/_beta/-beta}"
+	MY_P="${MY_P/_rc/-rc}"
+	SRC_URI="https://roy.marples.name/downloads/${PN}/${MY_P}.tar.xz"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+	S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="A fully featured, yet light weight RFC2131 compliant DHCP client"
+HOMEPAGE="https://roy.marples.name/projects/dhcpcd"
+LICENSE="BSD-2"
+SLOT="0"
+IUSE="elibc_glibc +embedded ipv6 kernel_linux +udev"
+
+COMMON_DEPEND="udev? ( virtual/udev )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+src_configure() {
+	local dev hooks=() rundir
+	use udev || dev="--without-dev --without-udev"
+	hooks=( --with-hook=ntp.conf )
+	use elibc_glibc && hooks+=( --with-hook=yp.conf )
+	use kernel_linux && rundir="--rundir=${EPREFIX}/run"
+	local myeconfargs=(
+		--prefix="${EPREFIX}"
+		--libexecdir="${EPREFIX}/lib/dhcpcd"
+		--dbdir="${EPREFIX}/var/lib/dhcpcd"
+		--localstatedir="${EPREFIX}/var"
+		${rundir}
+		$(use_enable embedded)
+		$(use_enable ipv6)
+		${dev}
+		CC="$(tc-getCC)"
+		${hooks[@]}
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+	keepdir /var/lib/dhcpcd
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
+}
+
+pkg_postinst() {
+	local dbdir="${EROOT%/}"/var/lib/dhcpcd old_files=()
+
+	local old_old_duid="${EROOT%/}"/var/lib/dhcpcd/dhcpcd.duid
+	local old_duid="${EROOT%/}"/etc/dhcpcd.duid
+	local new_duid="${dbdir}"/duid
+	if [[ -e "${old_old_duid}" ]] ; then
+		# Upgrade the duid file to the new format if needed
+		if ! grep -q '..:..:..:..:..:..' "${old_old_duid}"; then
+			sed -i -e 's/\(..\)/\1:/g; s/:$//g' "${old_old_duid}"
+		fi
+
+		# Move the duid to /etc, a more sensible location
+		if [[ ! -e "${old_duid}" ]] ; then
+			cp -p "${old_old_duid}" "${new_duid}"
+		fi
+		old_files+=( "${old_old_duid}" )
+	fi
+
+	# dhcpcd-7 moves the files out of /etc
+	if [[ -e "${old_duid}" ]] ; then
+		if [[ ! -e "${new_duid}" ]] ; then
+			cp -p "${old_duid}" "${new_duid}"
+		fi
+		old_files+=( "${old_duid}" )
+	fi
+	local old_secret="${EROOT%/}"/etc/dhcpcd.secret
+	local new_secret="${dbdir}"/secret
+	if [[ -e "${old_secret}" ]] ; then
+		if [[ ! -e "${new_secret}" ]] ; then
+			cp -p "${old_secret}" "${new_secret}"
+		fi
+		old_files+=( "${old_secret}" )
+	fi
+
+	# dhcpcd-7 renames some files in /var/lib/dhcpcd
+	local old_rdm="${dbdir}"/dhcpcd-rdm.monotonic
+	local new_rdm="${dbdir}"/rdm_monotonic
+	if [[ -e "${old_rdm}" ]] ; then
+		if [[ ! -e "${new_rdm}" ]] ; then
+			cp -p "${old_rdm}" "${new_rdm}"
+		fi
+		old_files+=( "${old_rdm}" )
+	fi
+	local lease=
+	for lease in "${dbdir}"/dhcpcd-*.lease*; do
+		[[ -f "${lease}" ]] || continue
+		old_files+=( "${lease}" )
+		local new_lease=$(basename "${lease}" | sed -e "s/dhcpcd-//")
+		[[ -e "${dbdir}/${new_lease}" ]] && continue
+		cp "${lease}" "${dbdir}/${new_lease}"
+	done
+
+	# Warn about removing stale files
+	if [[ -n "${old_files[@]}" ]] ; then
+		elog
+		elog "dhcpcd-7 has copied dhcpcd.duid and dhcpcd.secret from"
+		elog "${EROOT%/}/etc to ${dbdir}"
+		elog "and copied leases in ${dbdir} to new files with the dhcpcd-"
+		elog "prefix dropped."
+		elog
+		elog "You should remove these files if you don't plan on reverting"
+		elog "to an older version:"
+		local old_file=
+		for old_file in ${old_files[@]}; do
+			elog "	${old_file}"
+		done
+	fi
+
+	if [ -z "${REPLACING_VERSIONS}" ]; then
+		elog
+		elog "dhcpcd has zeroconf support active by default."
+		elog "This means it will always obtain an IP address even if no"
+		elog "DHCP server can be contacted, which will break any existing"
+		elog "failover support you may have configured in your net configuration."
+		elog "This behaviour can be controlled with the noipv4ll configuration"
+		elog "file option or the -L command line switch."
+		elog "See the dhcpcd and dhcpcd.conf man pages for more details."
+
+		elog
+		elog "Dhcpcd has duid enabled by default, and this may cause issues"
+		elog "with some dhcp servers. For more information, see"
+		elog "https://bugs.gentoo.org/show_bug.cgi?id=477356"
+	fi
+
+	if ! has_version net-dns/bind-tools; then
+		elog
+		elog "If you activate the lookup-hostname hook to look up your hostname"
+		elog "using the dns, you need to install net-dns/bind-tools."
+	fi
+}

diff --git a/net-misc/dhcpcd/files/dhcpcd-7.1.1-overflows.patch b/net-misc/dhcpcd/files/dhcpcd-7.1.1-overflows.patch
new file mode 100644
index 00000000000..6ec780936a8
--- /dev/null
+++ b/net-misc/dhcpcd/files/dhcpcd-7.1.1-overflows.patch
@@ -0,0 +1,213 @@
+https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
+
+From 8d11b33f6c60e2db257130fa383ba76b6018bcf6 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 09:45:02 +0100
+Subject: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
+
+Only copy upto the size of the address option rather than the
+option length.
+
+Found by Maxime Villard <max@m00nbsd.net>
+---
+ src/dhcp6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 99a452b..8fc4f00 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
+ 		nd = o + ol;
+ 		l -= (size_t)(nd - d);
+ 		d = nd;
+-		if (ol < 24) {
++		if (ol < sizeof(ia)) {
+ 			errno = EINVAL;
+ 			logerrx("%s: IA Address option truncated", ifp->name);
+ 			continue;
+ 		}
+-		memcpy(&ia, o, ol);
++		memcpy(&ia, o, sizeof(ia));
+ 		ia.pltime = ntohl(ia.pltime);
+ 		ia.vltime = ntohl(ia.vltime);
+ 		/* RFC 3315 22.6 */
+-- 
+cgit v1.1
+
+
+From 4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:00:19 +0100
+Subject: DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
+
+This fix basically moves the option length check up and also
+corrects an off by one error with it.
+
+Thanks to Maxime Villard <max@m00nbsd.net>
+---
+ src/dhcp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/dhcp.c b/src/dhcp.c
+index f7cdefc..e13d1b4 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -215,6 +215,12 @@ get_option(struct dhcpcd_ctx *ctx,
+ 		}
+ 		l = *p++;
+ 
++		/* Check we can read the option data, if present */
++		if (p + l > e) {
++			errno = EINVAL;
++			return NULL;
++		}
++
+ 		if (o == DHO_OPTSOVERLOADED) {
+ 			/* Ensure we only get this option once by setting
+ 			 * the last bit as well as the value.
+@@ -249,10 +255,6 @@ get_option(struct dhcpcd_ctx *ctx,
+ 				bp += ol;
+ 			}
+ 			ol = l;
+-			if (p + ol >= e) {
+-				errno = EINVAL;
+-				return NULL;
+-			}
+ 			op = p;
+ 			bl += ol;
+ 		}
+-- 
+cgit v1.1
+
+
+From 7121040790b611ca3fbc400a1bbcd4364ef57233 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:40:14 +0100
+Subject: auth: Use consttime_memequal(3) to compare hashes
+
+This stops any attacker from trying to infer secrets from latency.
+
+Thanks to Maxime Villard <max@m00nbsd.net>
+---
+ src/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 9e24998..ce97051 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -354,7 +354,7 @@ gottoken:
+ 	}
+ 
+ 	free(mm);
+-	if (memcmp(d, &hmac_code, dlen)) {
++	if (!consttime_memequal(d, &hmac_code, dlen)) {
+ 		errno = EPERM;
+ 		return NULL;
+ 	}
+-- 
+cgit v1.1
+
+
+From cfde89ab66cb4e5957b1c4b68ad6a9449e2784da Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:42:07 +0100
+Subject: compat: Provide consttime_memequal if not in libc
+
+Public domain version by Matthias Drochner <drochner@netbsd.org>
+---
+ configure | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/configure b/configure
+index 570e65f..4f58f0f 100755
+--- a/configure
++++ b/configure
+@@ -13,6 +13,7 @@ IPV4LL=
+ INET6=
+ ARC4RANDOM=
+ CLOSEFROM=
++CONSTTIME_MEMEQUAL=
+ STRLCPY=
+ UDEV=
+ OS=
+@@ -846,6 +847,27 @@ if [ "$STRTOI" = no ]; then
+ 	echo "#include			\"compat/strtoi.h\"" >>$CONFIG_H
+ fi
+ 
++if [ -z "$CONSTTIME_MEMEQUAL" ]; then
++	printf "Testing for consttime_memequal ... "
++	cat <<EOF >_consttime_memequal.c
++#include <string.h>
++int main(void) {
++	return consttime_memequal("deadbeef", "deadbeef", 8);
++}
++EOF
++	if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
++		CONSTTIME_MEMEQUAL=yes
++	else
++		CONSTTIME_MEMEQUAL=no
++	fi
++	echo "$CONSTTIME_MEMEQUAL"
++	rm -f _consttime_memequal.c _consttime_memequal
++fi
++if [ "$CONSTTIME_MEMEQUAL" = no ]; then
++	echo "#include			\"compat/consttime_memequal.h\"" \
++	    >>$CONFIG_H
++fi
++
+ if [ -z "$DPRINTF" ]; then
+ 	printf "Testing for dprintf ... "
+ 	cat <<EOF >_dprintf.c
+-- 
+cgit v1.1
+
+
+From aee631aadeef4283c8a749c1caf77823304acf5e Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:47:37 +0100
+Subject: Really add consttime_memequal
+
+---
+ compat/consttime_memequal.h | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100644 compat/consttime_memequal.h
+
+diff --git a/compat/consttime_memequal.h b/compat/consttime_memequal.h
+new file mode 100644
+index 0000000..9830648
+--- /dev/null
++++ b/compat/consttime_memequal.h
+@@ -0,0 +1,28 @@
++/*
++ * Written by Matthias Drochner <drochner@NetBSD.org>.
++ * Public domain.
++ */
++
++#ifndef CONSTTIME_MEMEQUAL_H
++#define CONSTTIME_MEMEQUAL_H
++inline static int
++consttime_memequal(const void *b1, const void *b2, size_t len)
++{
++	const unsigned char *c1 = b1, *c2 = b2;
++	unsigned int res = 0;
++
++	while (len--)
++		res |= *c1++ ^ *c2++;
++
++	/*
++	 * Map 0 to 1 and [1, 256) to 0 using only constant-time
++	 * arithmetic.
++	 *
++	 * This is not simply `!res' because although many CPUs support
++	 * branchless conditional moves and many compilers will take
++	 * advantage of them, certain compilers generate branches on
++	 * certain CPUs for `!res'.
++	 */
++	return (1 & ((res - 1) >> 8));
++}
++#endif /* CONSTTIME_MEMEQUAL_H */
+-- 
+cgit v1.1
+