From: Roy Marples <roy@marples.name>
Date: Fri, 19 Apr 2019 20:40:14 +0000 (+0100)
Subject: auth: Use consttime_memequal(3) to compare hashes
X-Git-Tag: v7.2.1~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05da1daf2a34b00f7bd8572697f66f2481f4df29;p=thirdparty%2Fdhcpcd.git

auth: Use consttime_memequal(3) to compare hashes

This stops any attacker from trying to infer secrets from latency.

Thanks to Maxime Villard <max@m00nbsd.net>
---

diff --git a/src/auth.c b/src/auth.c
index 9e24998c..ce97051e 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -354,7 +354,7 @@ gottoken:
 	}
 
 	free(mm);
-	if (memcmp(d, &hmac_code, dlen)) {
+	if (!consttime_memequal(d, &hmac_code, dlen)) {
 		errno = EPERM;
 		return NULL;
 	}