summaryrefslogtreecommitdiff
path: root/src/http_auth.h
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:26:58 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:26:58 -0400
commit0e749c1c84326a51f0f8a80c6db49c31c8e920ab (patch)
treec8fcd7135c621fa228194009e22e697e2e2b8985 /src/http_auth.h
parent89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa (diff)
downloadlighttpd1.4-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.tar.gz
lighttpd1.4-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.zip
[mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests (mitigation for brute-force timing attacks against digests generated using the same nonce) x-ref: "Digest auth nonces are not validated" https://redmine.lighttpd.net/issues/2976 "safe_memcmp new function proposal" https://redmine.lighttpd.net/issues/2975
Diffstat (limited to 'src/http_auth.h')
-rw-r--r--src/http_auth.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/http_auth.h b/src/http_auth.h
index 64a32da7..5f6e00d4 100644
--- a/src/http_auth.h
+++ b/src/http_auth.h
@@ -71,6 +71,9 @@ const http_auth_backend_t * http_auth_backend_get (const buffer *name);
void http_auth_backend_set (const http_auth_backend_t *backend);
__attribute_pure__
+int http_auth_const_time_memeq (const void *a, const void *b, size_t len);
+
+__attribute_pure__
int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen);
void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen);