note about constant_time_strcmp and lengths

2025-02-07 13:21:15 +00:00 · 2015-06-03 22:15:12 +08:00 · 2015-06-03 22:15:12 +08:00 · 1fa1c3f9db
commit 1fa1c3f9db
parent 91df741926
1 changed files with 2 additions and 0 deletions
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@ -33,6 +33,8 @@

 #ifdef ENABLE_SVR_PASSWORD_AUTH

+/* not constant time when strings are differing lengths. 
+ string content isn't leaked, and crypt hashes are predictable length. */
 static int constant_time_strcmp(const char* a, const char* b) {
 	size_t la = strlen(a);
 	size_t lb = strlen(b);