diff --git a/svr-authpasswd.c b/svr-authpasswd.c index 7a5a1210235d62fd06bbac94e10d18da57bbf35c..0153a53563948ccd478bc0c25c799e854a53798e 100644 --- a/svr-authpasswd.c +++ b/svr-authpasswd.c @@ -33,6 +33,8 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +/* not constant time when strings are differing lengths. + string content isn't leaked, and crypt hashes are predictable length. */ static int constant_time_strcmp(const char* a, const char* b) { size_t la = strlen(a); size_t lb = strlen(b);