client_pid);
o_stream_nsend_str(conn->output,
t_strdup_printf("FAIL\t%u\n", id));
- } else if (memcmp(client_conn->cookie, cookie, sizeof(cookie)) != 0) {
+ } else if (!mem_equals_timing_safe(client_conn->cookie, cookie, sizeof(cookie))) {
i_error("Master requested auth for client %u with invalid cookie",
client_pid);
o_stream_nsend_str(conn->output,
md5_update(&ctx, credentials, size);
md5_final(&ctx, digest);
- return memcmp(digest, request->response_digest, 16) == 0;
+ return mem_equals_timing_safe(digest, request->response_digest, 16);
}
static void
response_hex = binary_to_hex(digest, sizeof(digest));
- if (memcmp(response_hex, request->response, sizeof(digest)*2) != 0) {
+ if (!mem_equals_timing_safe(response_hex, request->response, sizeof(digest)*2)) {
auth_request_log_info(&request->auth_request, AUTH_SUBSYS_MECH,
"password mismatch");
return FALSE;
if (i == 0) {
/* verify response */
- if (memcmp(response_hex, request->response, 32) != 0) {
+ if (!mem_equals_timing_safe(response_hex, request->response, 32)) {
auth_request_log_info(&request->auth_request,
AUTH_SUBSYS_MECH,
"password mismatch");
const gss_OID_desc *oid2)
{
return oid1->length == oid2->length &&
- memcmp(oid1->elements, oid2->elements, oid1->length) == 0;
+ mem_equals_timing_safe(oid1->elements, oid2->elements, oid1->length);
}
static int
}
ntlmssp_v1_response(credentials, request->challenge, lm_response);
- return memcmp(lm_response, client_response, LM_RESPONSE_SIZE) == 0;
+ return mem_equals_timing_safe(lm_response, client_response, LM_RESPONSE_SIZE);
}
static void
response_length - NTLMSSP_V2_RESPONSE_SIZE,
ntlm_v2_response);
- return memcmp(ntlm_v2_response, client_response,
- NTLMSSP_V2_RESPONSE_SIZE) == 0 ? 1 : -1;
+ return mem_equals_timing_safe(ntlm_v2_response, client_response,
+ NTLMSSP_V2_RESPONSE_SIZE) ? 1 : -1;
} else {
unsigned char ntlm_response[NTLMSSP_RESPONSE_SIZE];
const unsigned char *client_lm_response =
ntlmssp_v1_response(credentials, request->challenge,
ntlm_response);
- return memcmp(ntlm_response, client_response,
- NTLMSSP_RESPONSE_SIZE) == 0 ? 1 : -1;
+ return mem_equals_timing_safe(ntlm_response, client_response,
+ NTLMSSP_RESPONSE_SIZE) ? 1 : -1;
}
}
memcpy(request->pwd_md5, credentials, sizeof(request->pwd_md5));
rpa_user_response(request, response);
- return memcmp(response, request->user_response, sizeof(response)) == 0;
+ return mem_equals_timing_safe(response, request->user_response, sizeof(response));
}
static void
safe_memset(client_key, 0, sizeof(client_key));
safe_memset(client_signature, 0, sizeof(client_signature));
- return memcmp(stored_key, request->stored_key, sizeof(stored_key)) == 0;
+ return mem_equals_timing_safe(stored_key, request->stored_key, sizeof(stored_key));
}
static void credentials_callback(enum passdb_result result,
}
pbkdf_run(plaintext, salt, rounds, key2);
- return memcmp(key1, key2, sizeof(key1)) == 0 ? 1 : 0;
+ return mem_equals_timing_safe(key1, key2, sizeof(key1)) ? 1 : 0;
}
/* Calculate StoredKey */
sha1_get_digest(client_key, sizeof(client_key), calculated_stored_key);
- ret = memcmp(stored_key, calculated_stored_key,
- sizeof(stored_key)) == 0 ? 1 : 0;
+ ret = mem_equals_timing_safe(stored_key, calculated_stored_key,
+ sizeof(stored_key)) ? 1 : 0;
safe_memset(salted_password, 0, sizeof(salted_password));
safe_memset(client_key, 0, sizeof(client_key));
s->password_generate(plaintext, user,
&generated, &generated_size);
ret = size != generated_size ? 0 :
- memcmp(generated, raw_password, size) == 0 ? 1 : 0;
+ mem_equals_timing_safe(generated, raw_password, size) ? 1 : 0;
}
if (ret == 0)
sha1_loop(&ctx, plaintext, strlen(plaintext));
sha1_loop(&ctx, raw_password + SHA1_RESULTLEN, size - SHA1_RESULTLEN);
sha1_result(&ctx, sha1_digest);
- return memcmp(sha1_digest, raw_password, SHA1_RESULTLEN) == 0 ? 1 : 0;
+ return mem_equals_timing_safe(sha1_digest, raw_password, SHA1_RESULTLEN) ? 1 : 0;
}
static void
sha256_loop(&ctx, raw_password + SHA256_RESULTLEN,
size - SHA256_RESULTLEN);
sha256_result(&ctx, sha256_digest);
- return memcmp(sha256_digest, raw_password,
- SHA256_RESULTLEN) == 0 ? 1 : 0;
+ return mem_equals_timing_safe(sha256_digest, raw_password,
+ SHA256_RESULTLEN) ? 1 : 0;
}
static void
sha512_loop(&ctx, raw_password + SHA512_RESULTLEN,
size - SHA512_RESULTLEN);
sha512_result(&ctx, sha512_digest);
- return memcmp(sha512_digest, raw_password,
- SHA512_RESULTLEN) == 0 ? 1 : 0;
+ return mem_equals_timing_safe(sha512_digest, raw_password,
+ SHA512_RESULTLEN) ? 1 : 0;
}
static void
md5_update(&ctx, plaintext, strlen(plaintext));
md5_update(&ctx, raw_password + MD5_RESULTLEN, size - MD5_RESULTLEN);
md5_final(&ctx, md5_digest);
- return memcmp(md5_digest, raw_password, MD5_RESULTLEN) == 0 ? 1 : 0;
+ return mem_equals_timing_safe(md5_digest, raw_password, MD5_RESULTLEN) ? 1 : 0;
}
static void