EAP-MSCHAPv2: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 20:25:36 +03:00 · 2014-06-29 20:25:36 +03:00 · a6eae3f7a1
commit a6eae3f7a1
parent 30411b351c
2 changed files with 3 additions and 3 deletions
--- a/src/eap_peer/mschapv2.c
+++ b/src/eap_peer/mschapv2.c
@ -117,8 +117,8 @@ int mschapv2_verify_auth_response(const u8 *auth_response,
 	    buf[0] != 'S' || buf[1] != '=' ||
 	    hexstr2bin((char *) (buf + 2), recv_response,
 		       MSCHAPV2_AUTH_RESPONSE_LEN) ||
-	    os_memcmp(auth_response, recv_response,
-		      MSCHAPV2_AUTH_RESPONSE_LEN) != 0)
+	    os_memcmp_const(auth_response, recv_response,
+			    MSCHAPV2_AUTH_RESPONSE_LEN) != 0)
 		return -1;
 	return 0;
 }