| ??? 03/01/10 17:40 Read: times |
#173691 - using strncmp for a password check is a bug :^) Responding to: ???'s previous message |
well at least if you consider being a very easy target for a
timing based password attack a problem... Rather do the compare routine yourself so it has a constant execution time (regardless where the first non-matching character is). Do something like:
bit passwdchk()
{
unsigned char i;
unsigned char pattern = 0;
for ( i=0; password[i]; i++ ) // assuming the known password is zero terminated
{
pattern |= (password[i] ^ passINP[i]);
}
return pattern == 0;
}
Note, there is no "if" keyword in the inner loop. |
| Topic | Author | Date |
| Question about KEIL | 01/01/70 00:00 | |
| It ain't how i would do it | 01/01/70 00:00 | |
| Thank you! | 01/01/70 00:00 | |
| using strncmp for a password check is a bug :^) | 01/01/70 00:00 | |
| Yeah whatever | 01/01/70 00:00 | |
| Interesting | 01/01/70 00:00 | |
| Eh?? | 01/01/70 00:00 | |
40 instead of 50000000 | 01/01/70 00:00 | |
| Nothing to do with Keil | 01/01/70 00:00 | |
| Hmmm I see | 01/01/70 00:00 | |
| Problem solved! | 01/01/70 00:00 | |
| Do you undrestand why it did not work? | 01/01/70 00:00 | |
| Wrong | 01/01/70 00:00 | |
| Yes, it's wrong - but... | 01/01/70 00:00 | |
| code size decrease | 01/01/70 00:00 | |
| Maybe | 01/01/70 00:00 | |
| After a nights sleep | 01/01/70 00:00 | |
| Where it gets specific to Keil (or whatever) | 01/01/70 00:00 | |
| Explain | 01/01/70 00:00 | |
| Woops. | 01/01/70 00:00 | |
| such a 'newb' error (sic) | 01/01/70 00:00 | |
| Password application | 01/01/70 00:00 |