# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1433340912 -28800
# Node ID 50f8a24953e6482549928d2af466a6fdf890eb24
# Parent  ad14e2e711901352ca6194933d94124927277bea
note about constant_time_strcmp and lengths

diff -r ad14e2e71190 -r 50f8a24953e6 svr-authpasswd.c
--- a/svr-authpasswd.c	Wed Jun 03 21:45:32 2015 +0800
+++ b/svr-authpasswd.c	Wed Jun 03 22:15:12 2015 +0800
@@ -33,6 +33,8 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+/* not constant time when strings are differing lengths. 
+ string content isn't leaked, and crypt hashes are predictable length. */
 static int constant_time_strcmp(const char* a, const char* b) {
 	size_t la = strlen(a);
 	size_t lb = strlen(b);