const time authentication in bozohttpd (pt. 2)

To: tech-security%netbsd.org@localhost
Subject: const time authentication in bozohttpd (pt. 2)
From: Mateusz Kocielski <shm%netbsd.org@localhost>
Date: Sun, 16 Nov 2014 14:26:49 +0000

Hello,

 as discussed previously [1] bozohttpd checks secrets using strcmp, which may
leak information about compared data. Previous patch was simply
over-complicated and wrong. riastradh@ suggested how it should look like,
basing on that I wrote a new patch proposal [2]. I'd like to commit it, if
there's no objections.

 [1] - http://mail-index.netbsd.org/tech-security/2014/06/25/msg000761.html
 [2] - http://www.netbsd.org/~shm/patches/auth-bozo.c.diff4

 Best Regards,
 Mateusz Kocielski (@shm)

Prev by Date: NetBSD Security Advisory 2014-015: OpenSSL and SSLv3 vulnerabilities
Next by Date: _98% approval average for small business loans.
Previous by Thread: NetBSD Security Advisory 2014-015: OpenSSL and SSLv3 vulnerabilities
Next by Thread: _98% approval average for small business loans.
Indexes:

Home | Main Index | Thread Index | Old Index