[mod_auth] constant time compare plain passwords
(digests have same length)personal/stbuehler/fix-fdevent
parent
7265c72b6c
commit
81b7e8e2fb
|
@ -49,6 +49,23 @@ void http_auth_backend_set (const http_auth_backend_t *backend)
|
|||
}
|
||||
|
||||
|
||||
int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, const size_t blen)
|
||||
{
|
||||
/* constant time memory compare, unless compiler figures it out
|
||||
* (similar to mod_secdownload.c:const_time_memeq()) */
|
||||
/* round to next multiple of 64 to avoid potentially leaking exact
|
||||
* password length when subject to high precision timing attacks) */
|
||||
size_t lim = ((alen >= blen ? alen : blen) + 0xFFFFF) & ~0xFFFFF;
|
||||
int diff = 0;
|
||||
for (size_t i = 0, j = 0; lim; --lim) {
|
||||
diff |= (a[i] ^ b[j]);
|
||||
i += (i < alen);
|
||||
j += (j < blen);
|
||||
}
|
||||
return (0 == diff);
|
||||
}
|
||||
|
||||
|
||||
void http_auth_dumbdata_reset (void)
|
||||
{
|
||||
memset(http_auth_schemes, 0, sizeof(http_auth_schemes));
|
||||
|
|
|
@ -41,6 +41,7 @@ const http_auth_scheme_t * http_auth_scheme_get (const buffer *name);
|
|||
void http_auth_scheme_set (const http_auth_scheme_t *scheme);
|
||||
const http_auth_backend_t * http_auth_backend_get (const buffer *name);
|
||||
void http_auth_backend_set (const http_auth_backend_t *backend);
|
||||
int http_auth_const_time_memeq (const char *a, size_t alen, const char *b, size_t blen);
|
||||
|
||||
void http_auth_setenv(array *env, const char *username, size_t ulen, const char *auth_type, size_t alen);
|
||||
|
||||
|
|
|
@ -398,7 +398,7 @@ static handler_t mod_authn_file_plain_basic(server *srv, connection *con, void *
|
|||
mod_authn_file_patch_connection(srv, con, p);
|
||||
rc = mod_authn_file_htpasswd_get(srv, p->conf.auth_plain_userfile, username, password_buf);
|
||||
if (0 == rc) {
|
||||
rc = buffer_is_equal_string(password_buf, pw, strlen(pw)) ? 0 : -1;
|
||||
rc = http_auth_const_time_memeq(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1;
|
||||
}
|
||||
buffer_free(password_buf);
|
||||
UNUSED(con);
|
||||
|
|
Loading…
Reference in New Issue