EAP-FAST: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-29 20:21:03 +03:00
parent dddf7bbd4e
commit c434503f5e
2 changed files with 3 additions and 3 deletions

View file

@ -767,7 +767,7 @@ static struct wpabuf * eap_fast_process_crypto_binding(
"MAC calculation", (u8 *) _bind, bind_len);
hmac_sha1(cmk, EAP_FAST_CMK_LEN, (u8 *) _bind, bind_len,
_bind->compound_mac);
res = os_memcmp(cmac, _bind->compound_mac, sizeof(cmac));
res = os_memcmp_const(cmac, _bind->compound_mac, sizeof(cmac));
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Received Compound MAC",
cmac, sizeof(cmac));
wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Calculated Compound MAC",

View file

@ -1198,7 +1198,7 @@ static int eap_fast_validate_crypto_binding(
return -1;
}
if (os_memcmp(data->crypto_binding_nonce, b->nonce, 31) != 0 ||
if (os_memcmp_const(data->crypto_binding_nonce, b->nonce, 31) != 0 ||
(data->crypto_binding_nonce[31] | 1) != b->nonce[31]) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid nonce in "
"Crypto-Binding");
@ -1212,7 +1212,7 @@ static int eap_fast_validate_crypto_binding(
(u8 *) b, bind_len);
hmac_sha1(data->cmk, EAP_FAST_CMK_LEN, (u8 *) b, bind_len,
b->compound_mac);
if (os_memcmp(cmac, b->compound_mac, sizeof(cmac)) != 0) {
if (os_memcmp_const(cmac, b->compound_mac, sizeof(cmac)) != 0) {
wpa_hexdump(MSG_MSGDUMP,
"EAP-FAST: Calculated Compound MAC",
b->compound_mac, sizeof(cmac));