DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

RADIUS: Use os_memcmp_const() for hash/password comparisons

Browse source 
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-29 20:13:01 +03:00
parent ce9c9bcc38
commit c2371953f8
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/radius/radius_server.c
View file

@ -864,7 +864,7 @@ radius_server_macacl(struct radius_server_data *data,
os_free(tmp.password);
if (res < 0 || pw_len != (size_t) res ||
os_memcmp(pw, buf, res) != 0) {
os_memcmp_const(pw, buf, res) != 0) {
RADIUS_DEBUG("Incorrect User-Password");
code = RADIUS_CODE_ACCESS_REJECT;
}