summaryrefslogtreecommitdiff
path: root/src/mod_auth.c
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:26:58 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-09-08 18:26:58 -0400
commit0e749c1c84326a51f0f8a80c6db49c31c8e920ab (patch)
treec8fcd7135c621fa228194009e22e697e2e2b8985 /src/mod_auth.c
parent89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa (diff)
downloadlighttpd1.4-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.tar.gz
lighttpd1.4-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.zip
[mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests (mitigation for brute-force timing attacks against digests generated using the same nonce) x-ref: "Digest auth nonces are not validated" https://redmine.lighttpd.net/issues/2976 "safe_memcmp new function proposal" https://redmine.lighttpd.net/issues/2975
Diffstat (limited to 'src/mod_auth.c')
-rw-r--r--src/mod_auth.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c
index 34e5e91a..2a7bcea8 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -1128,7 +1128,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
mod_auth_digest_mutate(&ai,m,uri,nonce,cnonce,nc,qop);
- if (0 != memcmp(rdigest, ai.digest, ai.dlen)) {
+ if (!http_auth_const_time_memeq(rdigest, ai.digest, ai.dlen)) {
/* digest not ok */
log_error_write(srv, __FILE__, __LINE__, "sssB",
"digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);