From a28078fb975df3b25f10b8c61d8340cea4a16a42 Mon Sep 17 00:00:00 2001
From: Jean Snyman <git@jsnyman.com>
Date: Thu, 27 Jun 2024 16:45:07 +0100
Subject: [PATCH] Change HMAC comparison which binds AK-EK to constant-time
 operation

Signed-off-by: Jean Snyman <git@jsnyman.com>
---
 keylime/models/registrar/registrar_agent.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/keylime/models/registrar/registrar_agent.py b/keylime/models/registrar/registrar_agent.py
index 0a4c2cf22..ada510211 100644
--- a/keylime/models/registrar/registrar_agent.py
+++ b/keylime/models/registrar/registrar_agent.py
@@ -1,4 +1,5 @@
 import base64
+import hmac
 
 import cryptography.x509
 from cryptography.hazmat.primitives.asymmetric import ec, rsa
@@ -315,7 +316,7 @@ def produce_ak_challenge(self):
     def verify_ak_response(self, response):
         expected_response = crypto.do_hmac(self.key.encode(), self.agent_id)
 
-        result = response == expected_response
+        result = hmac.compare_digest(response, expected_response)
 
         self.change("active", result)
         return result