Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added constant time string comparison to avoid possible time-based attacks. #3836

Merged
merged 16 commits into from
Nov 21, 2017
Merged

Added constant time string comparison to avoid possible time-based attacks. #3836

merged 16 commits into from
Nov 21, 2017

Conversation

bluemurder
Copy link
Contributor

This should resolve #1127.

igrr
igrr reviewed Nov 15, 2017
View reviewed changes
libraries/ArduinoOTA/ArduinoOTA.h Outdated
@@ -93,6 +93,7 @@ class ArduinoOTAClass
void _onRx(void);
int parseInt(void);
String readStringUntil(char end);
bool constantTimeEquals(const String &string1, const String &string2);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: can this method be moved into String class, so reuse in other places is possible?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I'll do that

libraries/ArduinoOTA/ArduinoOTA.cpp Outdated

// Preliminary check
if(string1.length() != string2.length()) {
return false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

libraries/ArduinoOTA/ArduinoOTA.cpp Outdated
bool equals = true;
unsigned int len = string1.length();
for(unsigned int i = 0; i < len; i++){
equals &= (string1.charAt(i) == string2.charAt(i));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be interesting to see the generated code for this loop at -O2 optimization level... I wonder whether the compiler is smart enough to convert this 'and' into 'branch-if-zero'.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Maybe better to write not so easily optimizable code. Ill think about that

bluemurder and others added 4 commits November 15, 2017 13:48
@bluemurder
Fixed indentation
fe324cc
Moved string comnparison in constant time to String class; modified f…
1aad21f 
…unction body to assure constant time comparison despite compiler optimizations
Merge branch 'master' of https://github.com/bluemurder/Arduino
2ec42df 
# Conflicts:
#	libraries/ArduinoOTA/ArduinoOTA.cpp
Removed wrong code
aca2832
@bluemurder
Copy link
Contributor Author

@igrr tried to met all your requests

@devyte
Copy link
Collaborator

devyte commented Nov 17, 2017

Except for my two nitpick cleanups, this looks good to me.

@devyte
Copy link
Collaborator

devyte commented Nov 21, 2017

This should still be tested more thoroughly, but after careful inspection, the code looks good, so merging.

@devyte devyte merged commit 03f1a54 into esp8266:master Nov 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igrr igrr igrr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Timing attack in OTA authentication
3 participants
@bluemurder @devyte @igrr