[PATCH 2/2] su: use "constant time" memcmp to compare password

From: Jakob Kramer <jakob.kramer_AT_gmx.de>
Date: Wed, 30 Apr 2014 00:20:31 +0200

---
 su.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/su.c b/su.c
index 16ce6c2..54d7679 100644
--- a/su.c
+++ b/su.c
_AT_@ -17,6 +17,7 @@ extern char **environ;
 static const char *randreply(void);
 static char *msetenv(const char *, const char *);
 static void dologin(struct passwd *);
+static int passcmp(const char *, const char *, size_t);
 
 static void
 usage(void)
_AT_@ -86,7 +87,7 @@ main(int argc, char *argv[])
 		if (!cryptpass)
 			eprintf("crypt:");
 
-		if (strcmp(cryptpass, spw->sp_pwdp) != 0)
+		if (passcmp(cryptpass, spw->sp_pwdp, strlen(cryptpass)) != 0)
 			eprintf(randreply());
 
 		for (i = 0; cryptpass[i]; i++)
_AT_@ -187,3 +188,15 @@ dologin(struct passwd *pw)
 		eprintf("chdir %s:", pw->pw_dir);
 	execve(pw->pw_shell, newargv, newenv);
 }
+
+static int
+passcmp(const char *s, const char *t, size_t n)
+{
+	size_t i;
+	char d = 0;
+
+	for (i = 0; i < n; i++)
+		d |= s[i] ^ t[i];
+
+	return d;
+}
-- 
1.8.5.1
--------------050706060502090702060604--
Received on Mon Sep 17 2001 - 00:00:00 CEST

This archive was generated by hypermail 2.3.0 : Wed Apr 30 2014 - 01:12:03 CEST