Mercurial > dropbear
comparison svr-authpasswd.c @ 1086:50f8a24953e6
note about constant_time_strcmp and lengths
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 03 Jun 2015 22:15:12 +0800 |
| parents | a625f9e135a4 |
| children | aaf576b27a10 |
comparison
equal
deleted
inserted
replaced
| 1085:ad14e2e71190 | 1086:50f8a24953e6 |
|---|---|
| 31 #include "auth.h" | 31 #include "auth.h" |
| 32 #include "runopts.h" | 32 #include "runopts.h" |
| 33 | 33 |
| 34 #ifdef ENABLE_SVR_PASSWORD_AUTH | 34 #ifdef ENABLE_SVR_PASSWORD_AUTH |
| 35 | 35 |
| 36 /* not constant time when strings are differing lengths. | |
| 37 string content isn't leaked, and crypt hashes are predictable length. */ | |
| 36 static int constant_time_strcmp(const char* a, const char* b) { | 38 static int constant_time_strcmp(const char* a, const char* b) { |
| 37 size_t la = strlen(a); | 39 size_t la = strlen(a); |
| 38 size_t lb = strlen(b); | 40 size_t lb = strlen(b); |
| 39 | 41 |
| 40 if (la != lb) { | 42 if (la != lb) { |