aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-29 17:20:28 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:47 (GMT)
commitdddf7bbd4e522666775db58ff1187ac99d971d7e (patch)
treef7621a0d74f2419da186cf81d3db8fc815004cff /src/eap_server
parentdfb56081391eff5cf3a46898ff1046c588d82005 (diff)
downloadhostap-dddf7bbd4e522666775db58ff1187ac99d971d7e.zip
hostap-dddf7bbd4e522666775db58ff1187ac99d971d7e.tar.gz
hostap-dddf7bbd4e522666775db58ff1187ac99d971d7e.tar.bz2
EAP-EKE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server_eke.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c
index b19a321..47ce246 100644
--- a/src/eap_server/eap_server_eke.c
+++ b/src/eap_server/eap_server_eke.c
@@ -635,8 +635,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm,
return;
}
wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth_p, data->sess.prf_len);
- if (os_memcmp(auth_p, payload + data->sess.pnonce_len,
- data->sess.prf_len) != 0) {
+ if (os_memcmp_const(auth_p, payload + data->sess.pnonce_len,
+ data->sess.prf_len) != 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Auth_P does not match");
eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
return;