EAP-pwd: Use os_memcmp_const() for hash comparisons
This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
This commit is contained in:
parent
26c10f797c
commit
5197f0335c
2 changed files with 2 additions and 2 deletions
|
@ -589,7 +589,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
||||||
eap_pwd_h_final(hash, conf);
|
eap_pwd_h_final(hash, conf);
|
||||||
|
|
||||||
ptr = (u8 *) payload;
|
ptr = (u8 *) payload;
|
||||||
if (os_memcmp(conf, ptr, SHA256_MAC_LEN)) {
|
if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
|
wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
|
||||||
goto fin;
|
goto fin;
|
||||||
}
|
}
|
||||||
|
|
|
@ -835,7 +835,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
||||||
eap_pwd_h_final(hash, conf);
|
eap_pwd_h_final(hash, conf);
|
||||||
|
|
||||||
ptr = (u8 *) payload;
|
ptr = (u8 *) payload;
|
||||||
if (os_memcmp(conf, ptr, SHA256_MAC_LEN)) {
|
if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm did not "
|
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm did not "
|
||||||
"verify");
|
"verify");
|
||||||
goto fin;
|
goto fin;
|
||||||
|
|
Loading…
Reference in a new issue