From efd2a79c11982d0feebebbf740506c9555120b97 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Tue, 16 Jun 2020 15:00:00 +0000
Subject: pam_modutil_check_user_in_passwd: avoid timing attacks

* libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
not exit the file reading loop when the user is found, continue reading
the file to avoid timing attacks.
---
 libpam/pam_modutil_check_user.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'libpam')

diff --git a/libpam/pam_modutil_check_user.c b/libpam/pam_modutil_check_user.c
index 898b13a9..cf1bd1b5 100644
--- a/libpam/pam_modutil_check_user.c
+++ b/libpam/pam_modutil_check_user.c
@@ -60,7 +60,9 @@ pam_modutil_check_user_in_passwd(pam_handle_t *pamh,
 		if (strncmp(user_name, line, user_len) == 0 &&
 		    line[user_len] == ':') {
 			rc = PAM_SUCCESS;
-			break;
+			/*
+			 * Continue reading the file to avoid timing attacks.
+			 */
 		}
 		/* Has a newline been read?  */
 		line_len = strlen(line);
-- 
cgit v1.2.1