lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity

[mod_auth] http_auth_const_time_memeq_pad() 

rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
for constant time padded comparison of strings of potentially different
length
personal/stbuehler/ci-build
Glenn Strauss 2019-09-08 18:25:39 -04:00
parent 6ad325c659
commit 89dfbf14a5
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/http_auth.c
View File

@ -51,7 +51,7 @@ void http_auth_backend_set (const http_auth_backend_t *backend)
}
int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, const size_t blen)
int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen)
{
/* constant time memory compare, unless compiler figures it out
* (similar to mod_secdownload.c:const_time_memeq()) */

4
src/http_auth.h
View File

@ -69,7 +69,9 @@ const http_auth_scheme_t * http_auth_scheme_get (const buffer *name);
void http_auth_scheme_set (const http_auth_scheme_t *scheme);
const http_auth_backend_t * http_auth_backend_get (const buffer *name);
void http_auth_backend_set (const http_auth_backend_t *backend);
int http_auth_const_time_memeq (const char *a, size_t alen, const char *b, size_t blen);
__attribute_pure__
int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen);
void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen);

2
src/mod_authn_file.c
View File

@ -443,7 +443,7 @@ static handler_t mod_authn_file_plain_basic(server *srv, connection *con, void *
mod_authn_file_patch_connection(srv, con, p);
rc = mod_authn_file_htpasswd_get(srv, p->conf.auth_plain_userfile, CONST_BUF_LEN(username), password_buf);
if (0 == rc) {
rc = http_auth_const_time_memeq(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1;
rc = http_auth_const_time_memeq_pad(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1;
}
buffer_free(password_buf);
return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL)