From 89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 8 Sep 2019 18:25:39 -0400 Subject: [PATCH] [mod_auth] http_auth_const_time_memeq_pad() rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad() for constant time padded comparison of strings of potentially different length --- src/http_auth.c | 2 +- src/http_auth.h | 4 +++- src/mod_authn_file.c | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/http_auth.c b/src/http_auth.c index d3d3f6dd..24c2319a 100644 --- a/src/http_auth.c +++ b/src/http_auth.c @@ -51,7 +51,7 @@ void http_auth_backend_set (const http_auth_backend_t *backend) } -int http_auth_const_time_memeq (const char *a, const size_t alen, const char *b, const size_t blen) +int http_auth_const_time_memeq_pad (const void *a, const size_t alen, const void *b, const size_t blen) { /* constant time memory compare, unless compiler figures it out * (similar to mod_secdownload.c:const_time_memeq()) */ diff --git a/src/http_auth.h b/src/http_auth.h index 5b9aacbd..64a32da7 100644 --- a/src/http_auth.h +++ b/src/http_auth.h @@ -69,7 +69,9 @@ const http_auth_scheme_t * http_auth_scheme_get (const buffer *name); void http_auth_scheme_set (const http_auth_scheme_t *scheme); const http_auth_backend_t * http_auth_backend_get (const buffer *name); void http_auth_backend_set (const http_auth_backend_t *backend); -int http_auth_const_time_memeq (const char *a, size_t alen, const char *b, size_t blen); + +__attribute_pure__ +int http_auth_const_time_memeq_pad (const void *a, size_t alen, const void *b, size_t blen); void http_auth_setenv(connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen); diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c index 1e16075e..6f76794a 100644 --- a/src/mod_authn_file.c +++ b/src/mod_authn_file.c @@ -443,7 +443,7 @@ static handler_t mod_authn_file_plain_basic(server *srv, connection *con, void * mod_authn_file_patch_connection(srv, con, p); rc = mod_authn_file_htpasswd_get(srv, p->conf.auth_plain_userfile, CONST_BUF_LEN(username), password_buf); if (0 == rc) { - rc = http_auth_const_time_memeq(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1; + rc = http_auth_const_time_memeq_pad(CONST_BUF_LEN(password_buf), pw, strlen(pw)) ? 0 : -1; } buffer_free(password_buf); return 0 == rc && http_auth_match_rules(require, username->ptr, NULL, NULL)