auth: Use consttime_memequal(3) to compare hashes

author Roy Marples <roy@marples.name>

Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)

committer Roy Marples <roy@marples.name>

Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)
author Roy Marples <roy@marples.name>
Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)
committer Roy Marples <roy@marples.name>
Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)
diff --git a/src/auth.c b/src/auth.c

index 9e24998c17b34300c0d206547c795ca7f5e112a2..ce97051ea37ff5921dd5f58328e173798d5144e5 100644 (file)
--- a/src/auth.c
+++ b/src/auth.c
@@ -354,7 +354,7 @@ gottoken:
         }
  
         free(mm);
-       if (memcmp(d, &hmac_code, dlen)) {
+       if (!consttime_memequal(d, &hmac_code, dlen)) {
                 errno = EPERM;
                 return NULL;
         }
author	Roy Marples <roy@marples.name>
	Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)
committer	Roy Marples <roy@marples.name>
	Fri, 19 Apr 2019 20:40:14 +0000 (21:40 +0100)