From 9a69c24150965e54322ed9616638d4f1939b1289 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sat, 31 Mar 2012 22:51:28 -0400
Subject: Do not use strcmp() to compare an http authenticator to its expected
 value

This fixes a side-channel attack on the (fortunately unused!)
BridgePassword option for bridge authorities.  Fix for bug 5543;
bugfix on 0.2.0.14-alpha.
---
 src/or/or.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/or/or.h')

diff --git a/src/or/or.h b/src/or/or.h
index eecd3750a9..92592e5fa9 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2489,10 +2489,11 @@ typedef struct {
                                * that aggregates bridge descriptors? */
 
   /** If set on a bridge authority, it will answer requests on its dirport
-   * for bridge statuses -- but only if the requests use this password.
-   * If set on a bridge user, request bridge statuses, and use this password
-   * when doing so. */
+   * for bridge statuses -- but only if the requests use this password. */
   char *BridgePassword;
+  /** If BridgePassword is set, this is a SHA256 digest of the basic http
+   * authenticator for it. */
+  char *BridgePassword_AuthDigest;
 
   int UseBridges; /**< Boolean: should we start all circuits with a bridge? */
   config_line_t *Bridges; /**< List of bootstrap bridge addresses. */
-- 
cgit v1.2.3-54-g00ecf