Replace WMEMCMP in CheckAuthKeysLine

padelsbach · padelsbach · commit 854a36248e94 · 2026-04-13T10:19:24.000-07:00
diff --git a/apps/wolfsshd/auth.c b/apps/wolfsshd/auth.c
@@ -229,7 +229,10 @@ static int CheckAuthKeysLine(char* line, word32 lineSz, const byte* key,
         }
     }
     if (ret == WSSHD_AUTH_SUCCESS) {
-        if (keyCandSz != keySz || WMEMCMP(key, keyCand, keySz) != 0) {
+        /* Constant-time compare to avoid leaking which prefix bytes of an
+         * authorized key match a candidate offered by a remote peer. */
+        if (keyCandSz != keySz ||
+                ConstantCompare(key, keyCand, keySz) != 0) {
             ret = WSSHD_AUTH_FAILURE;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,10 @@ static int CheckAuthKeysLine(char* line, word32 lineSz, const byte* key,`
`229`	`229`	`}`
`230`	`230`	`}`
`231`	`231`	`if (ret == WSSHD_AUTH_SUCCESS) {`
`232`		`- if (keyCandSz != keySz \|\| WMEMCMP(key, keyCand, keySz) != 0) {`
	`232`	`+ /* Constant-time compare to avoid leaking which prefix bytes of an`
	`233`	`+ * authorized key match a candidate offered by a remote peer. */`
	`234`	`+ if (keyCandSz != keySz \|\|`
	`235`	`+ ConstantCompare(key, keyCand, keySz) != 0) {`
`233`	`236`	`ret = WSSHD_AUTH_FAILURE;`
`234`	`237`	`}`
`235`	`238`	`}`