[mod_auth] http_auth_const_time_memeq() (#2975, #2976)

use constant time comparison when comparing digests (mitigation for brute-force timing attacks against digests generated using the same nonce) x-ref: "Digest auth nonces are not validated" https://redmine.lighttpd.net/issues/2976 "safe_memcmp new function proposal" https://redmine.lighttpd.net/issues/2975
author: Glenn Strauss <gstrauss@gluelogic.com> 2019-09-08 18:26:58 -0400
committer: Glenn Strauss <gstrauss@gluelogic.com> 2019-09-08 18:26:58 -0400
commit: 0e749c1c84326a51f0f8a80c6db49c31c8e920ab (patch)
tree: c8fcd7135c621fa228194009e22e697e2e2b8985 /src/mod_authn_file.c
parent: 89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa (diff)
download: lighttpd-git-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c
index 6f76794a..fa21892b 100644
--- a/src/mod_authn_file.c
+++ b/src/mod_authn_file.c
@@ -356,7 +356,7 @@ static handler_t mod_authn_file_htdigest_basic(server *srv, connection *con, voi
 
     mod_authn_file_digest(&ai, pw, strlen(pw));
 
-    return (0 == memcmp(htdigest, ai.digest, ai.dlen)
+    return (http_auth_const_time_memeq(htdigest, ai.digest, ai.dlen)
             && http_auth_match_rules(require, username->ptr, NULL, NULL))
       ? HANDLER_GO_ON
       : HANDLER_ERROR;
author	Glenn Strauss <gstrauss@gluelogic.com>	2019-09-08 18:26:58 -0400
committer	Glenn Strauss <gstrauss@gluelogic.com>	2019-09-08 18:26:58 -0400
commit	0e749c1c84326a51f0f8a80c6db49c31c8e920ab (patch)
tree	c8fcd7135c621fa228194009e22e697e2e2b8985 /src/mod_authn_file.c
parent	89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa (diff)
download	lighttpd-git-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.tar.gz