use constant time comparisons

author Alan T. DeKok <aland@freeradius.org>

Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)
author Alan T. DeKok <aland@freeradius.org>
Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)
diff --git a/src/lib/eap_aka_sim/state_machine.c b/src/lib/eap_aka_sim/state_machine.c

index c4797eac2e4565be6b7c43749a44046e9e301427..ce6c25eaeb7ced8424f9d09f107b10251f2085da 100644 (file)
--- a/src/lib/eap_aka_sim/state_machine.c
+++ b/src/lib/eap_aka_sim/state_machine.c
@@ -2241,7 +2241,7 @@ RESUME(recv_aka_challenge_response)
                 goto failure;
         }
  
-       if (memcmp(vp->vp_octets, eap_aka_sim_session->keys.umts.vector.xres, vp->vp_length)) {
+       if (fr_digest_cmp(vp->vp_octets, eap_aka_sim_session->keys.umts.vector.xres, vp->vp_length)) {
                 REDEBUG("Received RES does not match calculated XRES");
                 RHEXDUMP_INLINE2(vp->vp_octets, vp->vp_length, "RES  :");
                 RHEXDUMP_INLINE2(eap_aka_sim_session->keys.umts.vector.xres,
diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c

index 2fa2a57479e11bdac0fdd7106e7a1d10f7c89407..0f4a318262b18ecb02d1cacda6a600ac81116894 100644 (file)
--- a/src/modules/rlm_digest/rlm_digest.c
+++ b/src/modules/rlm_digest/rlm_digest.c
@@ -439,7 +439,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(unlang_result_t *p_resu
         /*
          *  And finally, compare the digest in the packet with KD.
          */
-       if (memcmp(&kd[0], &hash[0], 16) == 0) RETURN_UNLANG_OK;
+       if (fr_digest_cmp(&kd[0], &hash[0], 16) == 0) RETURN_UNLANG_OK;
  
         REDEBUG("FAILED authentication");
         RETURN_UNLANG_REJECT;
diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c

index 93dbfb639252601066e3b5840cfe794f997ebeeb..b2985ee7a548166c39760d65825da012a375f310 100644 (file)
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -2130,7 +2130,7 @@ static int mschap_new_pass_decrypt(request_t *request, mschap_auth_ctx_t *auth_c
          */
         smbhash(old_nt_hash_expected, auth_ctx->nt_password->vp_octets, q);
         smbhash(old_nt_hash_expected + 8, auth_ctx->nt_password->vp_octets + 8, q + 7);
-       if (memcmp(old_nt_hash_expected, auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH)!=0) {
+       if (fr_digest_cmp(old_nt_hash_expected, auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH)!=0) {
                 REDEBUG("Old NT hash value from client does not match our value");
                 RHEXDUMP1(old_nt_hash_expected, NT_DIGEST_LENGTH, "expected");
                 RHEXDUMP1(auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH, "got");
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 31 Dec 2025 13:30:09 +0000 (08:30 -0500)
src/lib/eap_aka_sim/state_machine.c		patch \| blob \| blame \| history
src/modules/rlm_digest/rlm_digest.c		patch \| blob \| blame \| history
src/modules/rlm_mschap/rlm_mschap.c		patch \| blob \| blame \| history