From 1fa1c3f9db61e11d18363140f167ca1627e2f6ed Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 3 Jun 2015 22:15:12 +0800
Subject: note about constant_time_strcmp and lengths

---
 svr-authpasswd.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'svr-authpasswd.c')

diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index 7a5a121..0153a53 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -33,6 +33,8 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+/* not constant time when strings are differing lengths. 
+ string content isn't leaked, and crypt hashes are predictable length. */
 static int constant_time_strcmp(const char* a, const char* b) {
 	size_t la = strlen(a);
 	size_t lb = strlen(b);
-- 
cgit v1.2.3