Hi, On Thu, Dec 15, 2022 at 08:01:36PM +0100, Arne Schwabe wrote: > This changes the password check on the management interface to be constant > time. Normally the management port should not be exposed in a way that allows > an attacker to even interact with it but making the check constant time as > an additional layer of security is always good.
NAK on this, the min_int() logic is wrong. My fault, sorry.
With this, it will only compare "up the the number of bytes that the
attacker has entered", and if he happens to catch the first character
of the password, he's in...
Escape character is '^]'.
ENTER PASSWORD:f
SUCCESS: password is correct
... the password here is actually "foobar"...
Doing a "+1" on the compare length will include the 0-byte (which is
different here, "o" vs. "0"), and that should cover all cases.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
