compare security token via constant_time_equal() to avoid timing attacks on the security token. NEEDS NEW LIBPEPADAPTER!

3 years ago · f7043856c3
parent b687c4d531
commit f7043856c3
1 changed files with 4 additions and 2 deletions
--- a/server/json-adapter.cc
+++ b/server/json-adapter.cc
@ -26,6 +26,7 @@

 #include <pEp/keymanagement.h>
 #include <pEp/call_with_lock.hh>
+#include <pEp/constant_time_algo.hh>
 #include <pEp/status_to_string.hh>  // from libpEpAdapter.
 #include <pEp/locked_queue.hh>

@ -333,11 +334,12 @@ void JsonAdapter::shutdown(timeval* t)
 bool JsonAdapter::verify_security_token(const std::string& s) const
 {
 	check_guard();
-	if(s!=i->token)
+	const bool eq = pEp::constant_time_equal(s, i->token);
+	if( eq==false )
 	{
 		Log(Logger::Notice) << "sec_token=\"" << i->token << "\" (len=" << i->token.size() << ") is unequal to \"" << s << "\" (len=" << s.size() << ")!";
 	}
-	return s == i->token;
+	return eq;
 }