arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-12 01:53:07 +03:00
Code Activity

Added constant time string comparison to avoid possible time-based attacks. (#3836)

Browse Source 
* Added constant time strings comparison to avoid possible time-based attacks

* Fixed data types

* Fixed indentation

* Moved string comnparison in constant time to String class; modified function body to assure constant time comparison despite compiler optimizations

* Removed wrong code

* Fixed error and prevented compiler optimization to delete u1 local variable

* Avoid timing attacks on string comparison

* Minor

* changed counter names, removed else
This commit is contained in:
Alessio Leoncini
2017-11-21 05:56:05 +01:00
committed by Develo
parent cbfbc1ad63
commit 03f1a540ca
4 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libraries/ESP8266WebServer/src/ESP8266WebServer.cpp
View File

@ -119,7 +119,7 @@ bool ESP8266WebServer::authenticate(const char * username, const char * password
return false;
}
sprintf(toencode, "%s:%s", username, password);
if(base64_encode_chars(toencode, toencodeLen, encoded) > 0 && authReq.equals(encoded)){
if(base64_encode_chars(toencode, toencodeLen, encoded) > 0 && authReq.equalsConstantTime(encoded)) {
authReq = String();
delete[] toencode;
delete[] encoded;