Added constant time string comparison to avoid possible time-based attacks. (#3836)

* Added constant time strings comparison to avoid possible time-based attacks * Fixed data types * Fixed indentation * Moved string comnparison in constant time to String class; modified function body to assure constant time comparison despite compiler optimizations * Removed wrong code * Fixed error and prevented compiler optimization to delete u1 local variable * Avoid timing attacks on string comparison * Minor * changed counter names, removed else
2025-06-12 01:53:07 +03:00 · 2017-11-21 05:56:05 +01:00
parent cbfbc1ad63
commit 03f1a540ca
4 changed files with 30 additions and 2 deletions
--- a/libraries/ArduinoOTA/ArduinoOTA.cpp
+++ b/libraries/ArduinoOTA/ArduinoOTA.cpp
@ -229,7 +229,7 @@ void ArduinoOTAClass::_onRx(){
    String result = _challengemd5.toString();

    ota_ip.addr = (uint32_t)_ota_ip;
-    if(result.equals(response)){
+    if(result.equalsConstantTime(response)) {
      _state = OTA_RUNUPDATE;
    } else {
      _udp_ota->append("Authentication Failed", 21);