From 3e4b77c9bdcabb60ecb5253752cc2c1af5cb67e7 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 29 Jun 2014 20:26:25 +0300 Subject: [PATCH] EAP-GTC: Use os_memcmp_const() for hash/password comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen --- src/eap_server/eap_server_gtc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/eap_server/eap_server_gtc.c b/src/eap_server/eap_server_gtc.c index f423106bf..98ac3c6ec 100644 --- a/src/eap_server/eap_server_gtc.c +++ b/src/eap_server/eap_server_gtc.c @@ -175,7 +175,7 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv, } if (rlen != sm->user->password_len || - os_memcmp(pos, sm->user->password, rlen) != 0) { + os_memcmp_const(pos, sm->user->password, rlen) != 0) { wpa_printf(MSG_DEBUG, "EAP-GTC: Done - Failure"); data->state = FAILURE; } else {