Add timingsafe_bcmp(), for constant-time memory comparison
Heikki Linnakangas <heikki.linnakangas@iki.fi>
Author:
Heikki Linnakangas <heikki.linnakangas@iki.fi>
Committer:
Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:51Z
Releases:
14.23
Add timingsafe_bcmp(), for constant-time memory comparison timingsafe_bcmp() should be used instead of memcmp() or a naive for-loop, when comparing passwords or secret tokens, to avoid leaking information about the secret token by timing. This commit just introduces the function but does not change any existing code to use it yet. This has been initially applied as of 09be39112654 in v18 and newer versions, and will be used in all the stable branches for an upcoming fix. Co-authored-by: Jelte Fennema-Nio <github-tech@jeltef.nl> Discussion: https://www.postgresql.org/message-id/7b86da3b-9356-4e50-aa1b-56570825e234@iki.fi Security: CVE-2026-6478 Backpatch-through: 14
Files
| Path | Change | +/− |
|---|---|---|
| configure | modified | +23 −0 |
| configure.ac | modified | +2 −1 |
| src/include/pg_config.h.in | modified | +7 −0 |
| src/include/port.h | modified | +4 −0 |
| src/port/timingsafe_bcmp.c | added | +43 −0 |
| src/tools/msvc/Mkvcbuild.pm | modified | +1 −1 |
| src/tools/msvc/Solution.pm | modified | +2 −0 |
Discussion
- Make query cancellation keys longer 40 messages · 2024-02-29 → 2025-04-03