diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2019-09-08 18:26:58 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2019-09-08 18:26:58 -0400 |
commit | 0e749c1c84326a51f0f8a80c6db49c31c8e920ab (patch) | |
tree | c8fcd7135c621fa228194009e22e697e2e2b8985 /src/mod_authn_file.c | |
parent | 89dfbf14a5f9bb19bc89e9c29bffe2f5e8dcdcaa (diff) | |
download | lighttpd-git-0e749c1c84326a51f0f8a80c6db49c31c8e920ab.tar.gz |
[mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests
(mitigation for brute-force timing attacks against digests
generated using the same nonce)
x-ref:
"Digest auth nonces are not validated"
https://redmine.lighttpd.net/issues/2976
"safe_memcmp new function proposal"
https://redmine.lighttpd.net/issues/2975
Diffstat (limited to 'src/mod_authn_file.c')
-rw-r--r-- | src/mod_authn_file.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/mod_authn_file.c b/src/mod_authn_file.c index 6f76794a..fa21892b 100644 --- a/src/mod_authn_file.c +++ b/src/mod_authn_file.c @@ -356,7 +356,7 @@ static handler_t mod_authn_file_htdigest_basic(server *srv, connection *con, voi mod_authn_file_digest(&ai, pw, strlen(pw)); - return (0 == memcmp(htdigest, ai.digest, ai.dlen) + return (http_auth_const_time_memeq(htdigest, ai.digest, ai.dlen) && http_auth_match_rules(require, username->ptr, NULL, NULL)) ? HANDLER_GO_ON : HANDLER_ERROR; |