Use timingsafe_memcmp() when comparing the authenticators. from iij.

2 files changed, 7 insertions, 5 deletions

diff --git a/lib/libradius/radius.c b/lib/libradius/radius.c
index f1a20cc5c0a..db351ea97cd 100644
--- a/lib/libradius/radius.c
+++ b/lib/libradius/radius.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius.c,v 1.4 2023/07/08 08:53:26 yasuoka Exp $ */
+/*	$OpenBSD: radius.c,v 1.5 2024/08/08 09:16:37 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -261,7 +261,8 @@ radius_check_response_authenticator(const RADIUS_PACKET * packet,
 	uint8_t authenticator[16];
 
 	radius_calc_response_authenticator(authenticator, packet, secret);
-	return (memcmp(authenticator, packet->pdata->authenticator, 16));
+	return (timingsafe_memcmp(authenticator, packet->pdata->authenticator,
+	    16));
 }
 
 void
@@ -299,7 +300,8 @@ radius_check_accounting_request_authenticator(const RADIUS_PACKET * packet,
 
 	radius_calc_accounting_request_authenticator(authenticator, packet,
 	    secret);
-	return (memcmp(authenticator, packet->pdata->authenticator, 16));
+	return (timingsafe_memcmp(authenticator, packet->pdata->authenticator,
+	    16));
 }
 
 
diff --git a/lib/libradius/radius_msgauth.c b/lib/libradius/radius_msgauth.c
index bbc26e77ac3..97170b65dbc 100644
--- a/lib/libradius/radius_msgauth.c
+++ b/lib/libradius/radius_msgauth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius_msgauth.c,v 1.3 2024/07/24 08:19:16 yasuoka Exp $ */
+/*	$OpenBSD: radius_msgauth.c,v 1.4 2024/08/08 09:16:37 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -149,5 +149,5 @@ radius_check_message_authenticator(RADIUS_PACKET * packet, const char *secret)
 	if (len != sizeof(ma1))
 		return (-1);
 
-	return (memcmp(ma0, ma1, sizeof(ma1)));
+	return (timingsafe_memcmp(ma0, ma1, sizeof(ma1)));
 }