This changes the password check on the management interface to be constant time. Normally the management port should not be exposed in a way that allows an attacker to even interact with it but making the check constant time as an additional layer of security is always good.
Reported-by: Connor Edwards <c...@pm.me> Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- src/openvpn/manage.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 9349b62ad..d952618e7 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -198,7 +198,11 @@ man_check_password(struct management *man, const char *line) { if (man_password_needed(man)) { - if (streq(line, man->settings.up.password)) + /* This comparison is not fixed time but since strlen(time) is based on + * the attacker choice, it should not give any indication of the real + * password length */ + if (memcmp_constant_time(line, man->settings.up.password, + min_uint(strlen(line), sizeof(man->settings.up.password))) == 0) { man->connection.password_verified = true; msg(M_CLIENT, "SUCCESS: password is correct"); -- 2.37.1 (Apple Git-137.1) _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel