From 5197f0335cd682079e268edab1967dcee353a942 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 27 Jun 2014 12:05:47 +0200 Subject: [PATCH] EAP-pwd: Use os_memcmp_const() for hash comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Florent Daigniere --- src/eap_peer/eap_pwd.c | 2 +- src/eap_server/eap_server_pwd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index 089aec36d..ef80dba35 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -589,7 +589,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, eap_pwd_h_final(hash, conf); ptr = (u8 *) payload; - if (os_memcmp(conf, ptr, SHA256_MAC_LEN)) { + if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) { wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify"); goto fin; } diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index 38fa0f201..fc2ae263e 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -835,7 +835,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, eap_pwd_h_final(hash, conf); ptr = (u8 *) payload; - if (os_memcmp(conf, ptr, SHA256_MAC_LEN)) { + if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm did not " "verify"); goto fin;