aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap_server_pax.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-29 17:21:31 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:47 (GMT)
commite1550d4be890e071cec586f8171377be1fc96de5 (patch)
tree17d73ff7c84011f85dd27419071fd752616ccacd /src/eap_server/eap_server_pax.c
parentc434503f5e7d6a198772fb6bd1d56fc3de23dd9d (diff)
downloadhostap-e1550d4be890e071cec586f8171377be1fc96de5.zip
hostap-e1550d4be890e071cec586f8171377be1fc96de5.tar.gz
hostap-e1550d4be890e071cec586f8171377be1fc96de5.tar.bz2
EAP-PAX: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server/eap_server_pax.c')
-rw-r--r--src/eap_server/eap_server_pax.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index 35a42ad..d923cd7 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -268,7 +268,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
wpabuf_mhead(respData),
wpabuf_len(respData) - EAP_PAX_ICV_LEN,
NULL, 0, NULL, 0, icvbuf);
- if (os_memcmp(icvbuf, icv, EAP_PAX_ICV_LEN) != 0) {
+ if (os_memcmp_const(icvbuf, icv, EAP_PAX_ICV_LEN) != 0) {
wpa_printf(MSG_INFO, "EAP-PAX: Invalid ICV");
wpa_hexdump(MSG_MSGDUMP, "EAP-PAX: Expected ICV",
icvbuf, EAP_PAX_ICV_LEN);
@@ -395,7 +395,7 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
data->rand.r.x, EAP_PAX_RAND_LEN,
data->rand.r.y, EAP_PAX_RAND_LEN,
(u8 *) data->cid, data->cid_len, mac);
- if (os_memcmp(mac, pos, EAP_PAX_MAC_LEN) != 0) {
+ if (os_memcmp_const(mac, pos, EAP_PAX_MAC_LEN) != 0) {
wpa_printf(MSG_INFO, "EAP-PAX: Invalid MAC_CK(A, B, CID) in "
"PAX_STD-2");
wpa_hexdump(MSG_MSGDUMP, "EAP-PAX: Expected MAC_CK(A, B, CID)",
@@ -417,7 +417,7 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
wpabuf_head(respData),
wpabuf_len(respData) - EAP_PAX_ICV_LEN, NULL, 0, NULL, 0,
icvbuf);
- if (os_memcmp(icvbuf, pos, EAP_PAX_ICV_LEN) != 0) {
+ if (os_memcmp_const(icvbuf, pos, EAP_PAX_ICV_LEN) != 0) {
wpa_printf(MSG_INFO, "EAP-PAX: Invalid ICV in PAX_STD-2");
wpa_hexdump(MSG_MSGDUMP, "EAP-PAX: Expected ICV",
icvbuf, EAP_PAX_ICV_LEN);