EAP-GTC: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
a6eae3f7a1
commit
3e4b77c9bd
1 changed files with 1 additions and 1 deletions
|
@ -175,7 +175,7 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv,
|
|||
}
|
||||
|
||||
if (rlen != sm->user->password_len ||
|
||||
os_memcmp(pos, sm->user->password, rlen) != 0) {
|
||||
os_memcmp_const(pos, sm->user->password, rlen) != 0) {
|
||||
wpa_printf(MSG_DEBUG, "EAP-GTC: Done - Failure");
|
||||
data->state = FAILURE;
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue