#2 CHAP password comparison susceptible to timing attack

v1.0 (example)
open
None
5
2014-07-23
2014-07-23
mikec
No

AccessRequest.verifyChapPassword() does not use a constant time comparison of the chapHash, and so a valid chapHash could be discovered using timing attacks. Should do what org.bouncycastle.util.Arrays.constantTimeAreEqual does, or something similar.

Discussion