Use constant-time comparisons for checksums

author: Greg Hudson <ghudson@mit.edu> 2013-10-02 17:58:06 -0400
committer: Greg Hudson <ghudson@mit.edu> 2013-10-03 15:26:00 -0400
commit: 07d68eec2788bfe80686608813f644838707c168 (patch)
tree: 59c01da03dc85a005b5936ecf836eac4fe71c98b /src/plugins/preauth/pkinit/pkinit_srv.c
parent: ac7d07c2cc54e9f07fe81ac4c50bcc80ecc7ac54 (diff)
download: krb5-07d68eec2788bfe80686608813f644838707c168.tar.gz
krb5-07d68eec2788bfe80686608813f644838707c168.tar.xz
krb5-07d68eec2788bfe80686608813f644838707c168.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 640e835ca..1179216b5 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -461,9 +461,9 @@ pkinit_server_verify_padata(krb5_context context,
             goto cleanup;
         }
         if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length ||
-            memcmp(cksum.contents,
-                   auth_pack->pkAuthenticator.paChecksum.contents,
-                   cksum.length)) {
+            k5_bcmp(cksum.contents,
+                    auth_pack->pkAuthenticator.paChecksum.contents,
+                    cksum.length) != 0) {
             pkiDebug("failed to match the checksum\n");
 #ifdef DEBUG_CKSUM
             pkiDebug("calculating checksum on buf size (%d)\n",
author	Greg Hudson <ghudson@mit.edu>	2013-10-02 17:58:06 -0400
committer	Greg Hudson <ghudson@mit.edu>	2013-10-03 15:26:00 -0400
commit	07d68eec2788bfe80686608813f644838707c168 (patch)
tree	59c01da03dc85a005b5936ecf836eac4fe71c98b /src/plugins/preauth/pkinit/pkinit_srv.c
parent	ac7d07c2cc54e9f07fe81ac4c50bcc80ecc7ac54 (diff)
download	krb5-07d68eec2788bfe80686608813f644838707c168.tar.gz krb5-07d68eec2788bfe80686608813f644838707c168.tar.xz krb5-07d68eec2788bfe80686608813f644838707c168.zip