Mercurial > dropbear
diff svr-authpasswd.c @ 817:a625f9e135a4
Constant time memcmp for the hmac and password crypt
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 03 Oct 2013 22:25:30 +0800 |
parents | 7bd88d546627 |
children | 50f8a24953e6 |
line wrap: on
line diff
--- a/svr-authpasswd.c Sat Sep 21 00:34:36 2013 +0800 +++ b/svr-authpasswd.c Thu Oct 03 22:25:30 2013 +0800 @@ -33,6 +33,17 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +static int constant_time_strcmp(const char* a, const char* b) { + size_t la = strlen(a); + size_t lb = strlen(b); + + if (la != lb) { + return 1; + } + + return constant_time_memcmp(a, b, la); +} + /* Process a password auth request, sending success or failure messages as * appropriate */ void svr_auth_password() { @@ -82,7 +93,7 @@ return; } - if (strcmp(testcrypt, passwdcrypt) == 0) { + if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) { /* successful authentication */ dropbear_log(LOG_NOTICE, "Password auth succeeded for '%s' from %s",