Skip to content

[2.4.x] Add ap_*_timingsafe#639

Closed
notroj wants to merge 17 commits intoapache:2.4.xfrom
notroj:24x-ap_star_timingsafe
Closed

[2.4.x] Add ap_*_timingsafe#639
notroj wants to merge 17 commits intoapache:2.4.xfrom
notroj:24x-ap_star_timingsafe

Conversation

@notroj
Copy link
Copy Markdown
Collaborator

@notroj notroj commented Apr 27, 2026 

Merge r1933389 from trunk:

Add ap_*_timingsafe() constant-time comparison functions:

* include/httpd.h: Declare ap_memeq_timingsafe(), ap_streq_timingsafe(), ap_strneq_timingsafe().

* server/util.c: Implement, wrapping apr_*_timingsafe() if APR >= 1.8, with a fallback to copied-in versions.

* modules/aaa/mod_auth_digest.c: Replace apr_crypto_equals() with ap_memeq_timingsafe(). Remove apr_crypto.h include.

* modules/session/mod_session_crypto.c: Replace local ap_crypto_equals() with ap_memeq_timingsafe(). Remove the local implementation and macro alias.

* include/ap_mmn.h: Bump MMN minor.

(cherry picked from commit 7f5de0aebf5c04796aa9c25153413b09d609763b)

rbowen and others added 17 commits April 24, 2026 15:57
@rbowen
Rebuild html, meta files
f89a617 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933313 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933340 from trunk:
493eb23 
fix length checks in  AJP msg_get functions



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933342 from trunk:
b8def8f 
fix ajp_msg_get_string buffer checks



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933344 from trunk:
a3d3228 
fix ajp_parse_data message len check
+lognos



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933347 from trunk:
d04119e 
fix ajp_msg_check_header check



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933349 from trunk:
05e6c50 
use AP_EXPR_FLAG_RESTRICTED in htaccess



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933350 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933351 from trunk:
5b1edb7 
ocsp limits




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933353 from trunk:
225dc07 
mod_dav_lock: use the right dav_lock_discovery



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933354 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933355 from trunk:
4833b58 
mod_auth_digest: use apr_crypto_equals



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933356 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933357 from trunk:
d80685a 
mod_authn_socache: validate URL earlier



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68
@covener
Merge r1933359 from trunk:
0218d4b 
scan outgoing status line for newlines and controls



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933360 13f79535-47bb-0310-9956-ffa450edef68
@covener
make update-changes
10a9301 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933362 13f79535-47bb-0310-9956-ffa450edef68
@covener
xforms
294e4f3 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933363 13f79535-47bb-0310-9956-ffa450edef68
@notroj
CI: Since r1933356, APR-util 1.6.x is the minimum version.
b8508bd 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933377 13f79535-47bb-0310-9956-ffa450edef68
@notroj
Merge r1933389 from trunk:
75fc7f9 
Add ap_*_timingsafe() constant-time comparison functions:

* include/httpd.h: Declare ap_memeq_timingsafe(),
  ap_streq_timingsafe(), ap_strneq_timingsafe().

* server/util.c: Implement, wrapping apr_*_timingsafe() if
  APR >= 1.8, with a fallback to copied-in versions.

* modules/aaa/mod_auth_digest.c: Replace apr_crypto_equals()
  with ap_memeq_timingsafe(). Remove apr_crypto.h include.

* modules/session/mod_session_crypto.c: Replace local
  ap_crypto_equals() with ap_memeq_timingsafe(). Remove
  the local implementation and macro alias.

* include/ap_mmn.h: Bump MMN minor.

(cherry picked from commit 7f5de0a)
@notroj
Revert "CI: Since r1933356, APR-util 1.6.x is the minimum version."
6327b58 
This reverts commit b8508bd.
@notroj
Revert to previous APR-util version requirement.
101a105
asf-gitbox-commits pushed a commit that referenced this pull request Apr 30, 2026
@covener
Merge r1933389 from trunk:
e66cbab 
Add ap_*_timingsafe() constant-time comparison functions:

* include/httpd.h: Declare ap_memeq_timingsafe(), ap_streq_timingsafe(), ap_strneq_timingsafe().

* server/util.c: Implement, wrapping apr_*_timingsafe() if APR >= 1.8, with a fallback to copied-in versions.

* modules/aaa/mod_auth_digest.c: Replace apr_crypto_equals() with ap_memeq_timingsafe(). Remove apr_crypto.h include.

* modules/session/mod_session_crypto.c: Replace local ap_crypto_equals() with ap_memeq_timingsafe(). Remove the local implementation and macro alias.

* include/ap_mmn.h: Bump MMN minor.

Submitted by:  jorton
Reviewed by: jorton, rpluem, covener

Github: closes #639


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933444 13f79535-47bb-0310-9956-ffa450edef68
@notroj
Copy link
Copy Markdown
Collaborator Author

notroj commented Apr 30, 2026

Merged in e66cbab

@notroj notroj closed this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@notroj @rbowen @covener