From c90ca4df8768d18f949f09e3d3c8bf50d81379e3 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@home-assistant.io>
Date: Sun, 8 Feb 2026 07:16:19 -0600
Subject: [PATCH] Use encoder output length and remove early return on length
 mismatch

Use the out length from esp_crypto_base64_encode instead of strlen.
Fold length mismatch into the accumulator to make comparison fully
constant-time without early return.
---
 esphome/components/web_server_idf/web_server_idf.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/esphome/components/web_server_idf/web_server_idf.cpp b/esphome/components/web_server_idf/web_server_idf.cpp
index 074c39a6ae..2c2ceef3a6 100644
--- a/esphome/components/web_server_idf/web_server_idf.cpp
+++ b/esphome/components/web_server_idf/web_server_idf.cpp
@@ -356,14 +356,13 @@ bool AsyncWebServerRequest::authenticate(const char *username, const char *passw
 
   // Constant-time comparison to avoid timing side channels
   const char *provided = auth_str + auth_prefix_len;
-  size_t digest_len = strlen(digest.get());
+  size_t digest_len = out;
   size_t provided_len = strlen(provided);
-  if (digest_len != provided_len) {
-    return false;
-  }
   volatile uint8_t result = 0;
+  result |= static_cast<uint8_t>(digest_len ^ provided_len);
   for (size_t i = 0; i < digest_len; i++) {
-    result |= digest.get()[i] ^ provided[i];
+    char provided_ch = (i < provided_len) ? provided[i] : 0;
+    result |= static_cast<uint8_t>(digest.get()[i] ^ provided_ch);
   }
   return result == 0;
 }