From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 23 Feb 2011 09:59:55 +0000 (+0100)
Subject: Expose digest_cmp function
X-Git-Tag: release_2_1_11~111
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f17daee31dc640dd2f5bde836ae50ee927a65709;p=thirdparty%2Ffreeradius-server.git

Expose digest_cmp function

So that it can be used in other places to avoid timing attacks
---

diff --git a/src/include/libradius.h b/src/include/libradius.h
index a9c13c3d3d8..6492af7d318 100644
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -314,6 +314,7 @@ int		rad_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
 int		rad_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
 			 const char *secret);
 
+int rad_digest_cmp(const uint8_t *a, const uint8_t *b, size_t length);
 RADIUS_PACKET	*rad_alloc(int newvector);
 RADIUS_PACKET	*rad_alloc_reply(RADIUS_PACKET *);
 void		rad_free(RADIUS_PACKET **);
diff --git a/src/lib/radius.c b/src/lib/radius.c
index 826270f4781..809d88b3163 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -1524,7 +1524,7 @@ int rad_send(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
  *
  *	http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf
  */
-static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length)
+int rad_digest_cmp(const uint8_t *a, const uint8_t *b, size_t length)
 {
 	int result = 0;
 	size_t i;
@@ -1565,7 +1565,7 @@ static int calc_acctdigest(RADIUS_PACKET *packet, const char *secret)
 	/*
 	 *	Return 0 if OK, 2 if not OK.
 	 */
-	if (digest_cmp(digest, packet->vector, AUTH_VECTOR_LEN) != 0) return 2;
+	if (rad_digest_cmp(digest, packet->vector, AUTH_VECTOR_LEN) != 0) return 2;
 	return 0;
 }
 
@@ -1608,7 +1608,7 @@ static int calc_replydigest(RADIUS_PACKET *packet, RADIUS_PACKET *original,
 	/*
 	 *	Return 0 if OK, 2 if not OK.
 	 */
-	if (digest_cmp(packet->vector, calc_digest, AUTH_VECTOR_LEN) != 0) return 2;
+	if (rad_digest_cmp(packet->vector, calc_digest, AUTH_VECTOR_LEN) != 0) return 2;
 	return 0;
 }
 
@@ -2099,7 +2099,7 @@ int rad_verify(RADIUS_PACKET *packet, RADIUS_PACKET *original,
 			fr_hmac_md5(packet->data, packet->data_len,
 				    (const uint8_t *) secret, strlen(secret),
 				    calc_auth_vector);
-			if (digest_cmp(calc_auth_vector, msg_auth_vector,
+			if (rad_digest_cmp(calc_auth_vector, msg_auth_vector,
 				   sizeof(calc_auth_vector)) != 0) {
 				char buffer[32];
 				fr_strerror_printf("Received packet from %s with invalid Message-Authenticator!  (Shared secret is incorrect.)",