From a564d9ca3653af7d4e61cab12e10f232ca9c63ce Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 29 Jun 2014 20:24:41 +0300
Subject: [PATCH] EAP-MD5: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_server/eap_server_md5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/eap_server/eap_server_md5.c b/src/eap_server/eap_server_md5.c
index 5a5e2907e..71e8d59e0 100644
--- a/src/eap_server/eap_server_md5.c
+++ b/src/eap_server/eap_server_md5.c
@@ -126,7 +126,7 @@ static void eap_md5_process(struct eap_sm *sm, void *priv,
 		return;
 	}
 
-	if (os_memcmp(hash, pos, CHAP_MD5_LEN) == 0) {
+	if (os_memcmp_const(hash, pos, CHAP_MD5_LEN) == 0) {
 		wpa_printf(MSG_DEBUG, "EAP-MD5: Done - Success");
 		data->state = SUCCESS;
 	} else {