From 1fa1c3f9db61e11d18363140f167ca1627e2f6ed Mon Sep 17 00:00:00 2001 From: Matt Johnston <matt@ucc.asn.au> Date: Wed, 3 Jun 2015 22:15:12 +0800 Subject: [PATCH] note about constant_time_strcmp and lengths --- svr-authpasswd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/svr-authpasswd.c b/svr-authpasswd.c index 7a5a1210..0153a535 100644 --- a/svr-authpasswd.c +++ b/svr-authpasswd.c @@ -33,6 +33,8 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +/* not constant time when strings are differing lengths. + string content isn't leaked, and crypt hashes are predictable length. */ static int constant_time_strcmp(const char* a, const char* b) { size_t la = strlen(a); size_t lb = strlen(b); -- GitLab