From c11ccdfad1596199713f75a61f34672f7529ab73 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Sat, 20 Jan 2024 14:03:51 +0100
Subject: libpam: add helper to compare strings in constant time

Add a helper function to compare two strings for equality, that performs
the same amount of operations based on the first argument, regardless of
the length of the second argument, or the position of the first
difference.
This can be used as defense-in-depth mitigation against timing attacks
of password comparisons.
---
 libpam/include/pam_inline.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'libpam')

diff --git a/libpam/include/pam_inline.h b/libpam/include/pam_inline.h
index cf04c9af..a5aceb8a 100644
--- a/libpam/include/pam_inline.h
+++ b/libpam/include/pam_inline.h
@@ -175,4 +175,18 @@ pam_read_passwords(int fd, int npass, char **passwords)
 	return i;
 }
 
+static inline int
+pam_consttime_streq(const char *userinput, const char *secret) {
+	volatile const char *u = userinput, *s = secret;
+	volatile int ret = 0;
+
+	do {
+		ret |= *u ^ *s;
+
+		s += !!*s;
+	} while (*u++ != '\0');
+
+	return ret == 0;
+}
+
 #endif /* PAM_INLINE_H */
-- 
cgit v1.2.3