EAP-IKEv2: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
author: Jouni Malinen <j@w1.fi> 2014-06-29 17:18:40 (GMT)
committer: Jouni Malinen <j@w1.fi> 2014-07-02 09:38:47 (GMT)
commit: 675ddad1c20fffdb2795c80db9aa8ae96683ff81 (patch)
tree: 74abac9d0e0cfa4c41ef0f15283ab8735d2ffcbd /src/eap_server
parent: 2049a3c8749a66b302fcb105760997cc66805bbd (diff)
download: hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.zip
hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.tar.gz
hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/eap_server/ikev2.c b/src/eap_server/ikev2.c
index 512ba30..632598f 100644
--- a/src/eap_server/ikev2.c
+++ b/src/eap_server/ikev2.c
@@ -633,7 +633,7 @@ static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
 		return -1;
 
 	if (auth_len != prf->hash_len ||
-	    os_memcmp(auth, auth_data, auth_len) != 0) {
+	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
 			    auth, auth_len);
author	Jouni Malinen <j@w1.fi>	2014-06-29 17:18:40 (GMT)
committer	Jouni Malinen <j@w1.fi>	2014-07-02 09:38:47 (GMT)
commit	675ddad1c20fffdb2795c80db9aa8ae96683ff81 (patch)
tree	74abac9d0e0cfa4c41ef0f15283ab8735d2ffcbd /src/eap_server
parent	2049a3c8749a66b302fcb105760997cc66805bbd (diff)
download	hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.zip hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.tar.gz hostap-675ddad1c20fffdb2795c80db9aa8ae96683ff81.tar.bz2