EAP-GTC: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-29 20:26:25 +03:00
parent a6eae3f7a1
commit 3e4b77c9bd

View file

@ -175,7 +175,7 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv,
}
if (rlen != sm->user->password_len ||
os_memcmp(pos, sm->user->password, rlen) != 0) {
os_memcmp_const(pos, sm->user->password, rlen) != 0) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Done - Failure");
data->state = FAILURE;
} else {