From: Arne Schwabe Date: Tue, 20 Dec 2022 14:04:58 +0000 (+0100) Subject: Make management password check constant time X-Git-Tag: v2.7_alpha1~627 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e567f34262b0670fd51cbbcb6c6866b046454cee;p=thirdparty%2Fopenvpn.git Make management password check constant time This changes the password check on the management interface to be constant time. Normally the management port should not be exposed in a way that allows an attacker to even interact with it but making the check constant time as an additional layer of security is always good. Patch v2: include NUL byte in comparison Reported-by: Connor Edwards Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221220140458.2666637-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25784.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index b11de224d..5465b7e9b 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -198,7 +198,12 @@ man_check_password(struct management *man, const char *line) { if (man_password_needed(man)) { - if (streq(line, man->settings.up.password)) + /* This comparison is not fixed time but since strlen(time) is based on + * the attacker choice, it should not give any indication of the real + * password length, use + 1 to include the NUL byte that terminates the + * string*/ + size_t compare_len = min_uint(strlen(line) + 1, sizeof(man->settings.up.password)); + if (memcmp_constant_time(line, man->settings.up.password, compare_len) == 0) { man->connection.password_verified = true; msg(M_CLIENT, "SUCCESS: password is correct");