Mercurial > dropbear
comparison svr-authpasswd.c @ 1086:50f8a24953e6
note about constant_time_strcmp and lengths
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 03 Jun 2015 22:15:12 +0800 |
parents | a625f9e135a4 |
children | aaf576b27a10 |
comparison
equal
deleted
inserted
replaced
1085:ad14e2e71190 | 1086:50f8a24953e6 |
---|---|
31 #include "auth.h" | 31 #include "auth.h" |
32 #include "runopts.h" | 32 #include "runopts.h" |
33 | 33 |
34 #ifdef ENABLE_SVR_PASSWORD_AUTH | 34 #ifdef ENABLE_SVR_PASSWORD_AUTH |
35 | 35 |
36 /* not constant time when strings are differing lengths. | |
37 string content isn't leaked, and crypt hashes are predictable length. */ | |
36 static int constant_time_strcmp(const char* a, const char* b) { | 38 static int constant_time_strcmp(const char* a, const char* b) { |
37 size_t la = strlen(a); | 39 size_t la = strlen(a); |
38 size_t lb = strlen(b); | 40 size_t lb = strlen(b); |
39 | 41 |
40 if (la != lb) { | 42 if (la != lb) { |