From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 31 Dec 2025 13:30:09 +0000 (-0500)
Subject: use constant time comparisons
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aff9f3757267056ffefd3d775886d87f6fee63a6;p=thirdparty%2Ffreeradius-server.git

use constant time comparisons
---

diff --git a/src/lib/eap_aka_sim/state_machine.c b/src/lib/eap_aka_sim/state_machine.c
index c4797eac2e4..ce6c25eaeb7 100644
--- a/src/lib/eap_aka_sim/state_machine.c
+++ b/src/lib/eap_aka_sim/state_machine.c
@@ -2241,7 +2241,7 @@ RESUME(recv_aka_challenge_response)
 		goto failure;
 	}
 
-  	if (memcmp(vp->vp_octets, eap_aka_sim_session->keys.umts.vector.xres, vp->vp_length)) {
+	if (fr_digest_cmp(vp->vp_octets, eap_aka_sim_session->keys.umts.vector.xres, vp->vp_length)) {
     		REDEBUG("Received RES does not match calculated XRES");
 		RHEXDUMP_INLINE2(vp->vp_octets, vp->vp_length, "RES  :");
 		RHEXDUMP_INLINE2(eap_aka_sim_session->keys.umts.vector.xres,
diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c
index 2fa2a57479e..0f4a318262b 100644
--- a/src/modules/rlm_digest/rlm_digest.c
+++ b/src/modules/rlm_digest/rlm_digest.c
@@ -439,7 +439,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(unlang_result_t *p_resu
 	/*
 	 *  And finally, compare the digest in the packet with KD.
 	 */
-	if (memcmp(&kd[0], &hash[0], 16) == 0) RETURN_UNLANG_OK;
+	if (fr_digest_cmp(&kd[0], &hash[0], 16) == 0) RETURN_UNLANG_OK;
 
 	REDEBUG("FAILED authentication");
 	RETURN_UNLANG_REJECT;
diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
index 93dbfb63925..b2985ee7a54 100644
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -2130,7 +2130,7 @@ static int mschap_new_pass_decrypt(request_t *request, mschap_auth_ctx_t *auth_c
 	 */
 	smbhash(old_nt_hash_expected, auth_ctx->nt_password->vp_octets, q);
 	smbhash(old_nt_hash_expected + 8, auth_ctx->nt_password->vp_octets + 8, q + 7);
-	if (memcmp(old_nt_hash_expected, auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH)!=0) {
+	if (fr_digest_cmp(old_nt_hash_expected, auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH)!=0) {
 		REDEBUG("Old NT hash value from client does not match our value");
 		RHEXDUMP1(old_nt_hash_expected, NT_DIGEST_LENGTH, "expected");
 		RHEXDUMP1(auth_ctx->cpw_ctx->old_nt_hash, NT_DIGEST_LENGTH, "got");