MACsec: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
c2371953f8
commit
72619ce61b
1 changed files with 3 additions and 2 deletions
|
@ -2942,8 +2942,9 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay,
|
||||||
mka_msg_len);
|
mka_msg_len);
|
||||||
|
|
||||||
if (msg_icv) {
|
if (msg_icv) {
|
||||||
if (os_memcmp(msg_icv, icv,
|
if (os_memcmp_const(msg_icv, icv,
|
||||||
mka_alg_tbl[kay->mka_algindex].icv_len) != 0) {
|
mka_alg_tbl[kay->mka_algindex].icv_len) !=
|
||||||
|
0) {
|
||||||
wpa_printf(MSG_ERROR,
|
wpa_printf(MSG_ERROR,
|
||||||
"KaY: Computed ICV is not equal to Received ICV");
|
"KaY: Computed ICV is not equal to Received ICV");
|
||||||
return -1;
|
return -1;
|
||||||
|
|
Loading…
Reference in a new issue