[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #65119] The non-constant time memcmp function is used
|
From: |
Mohan |
|
Subject: |
[lwip-devel] [bug #65119] The non-constant time memcmp function is used to compare the username and password |
|
Date: |
Thu, 4 Jan 2024 01:00:33 -0500 (EST) |
URL:
<https://savannah.nongnu.org/bugs/?65119>
Summary: The non-constant time memcmp function is used to
compare the username and password
Group: lwIP - A Lightweight TCP/IP stack
Submitter: mohand
Submitted: Thu 04 Jan 2024 06:00:33 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: 2.2.0
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Thu 04 Jan 2024 06:00:33 AM UTC By: Mohan <mohand>
lwip library using non-constant time memcmp function while validating the user
id and password received. The adversary can mount the timing side channel
attack to determine the valid user id and password.
The memcmp function compares one byte at a time and exit the function as soon
as first character mismatch occurs. If this function is used to compare the
secure data like HMAC, user id, password; the adversary can check the timing
of response to determine the expected secure value one character at a time.
https://git.savannah.nongnu.org/cgit/lwip.git/tree/src/netif/ppp/auth.c?h=STABLE-2_2_0_RELEASE#n1006
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?65119>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [bug #65119] The non-constant time memcmp function is used to compare the username and password,
Mohan <=