From 72619ce61b3c9fe32bc487928414380795c9d392 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 29 Jun 2014 20:14:17 +0300 Subject: [PATCH] MACsec: Use os_memcmp_const() for hash/password comparisons This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen --- src/pae/ieee802_1x_kay.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index fb8a8ca..56c195a 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2942,8 +2942,9 @@ static int ieee802_1x_kay_mkpdu_sanity_check(struct ieee802_1x_kay *kay, mka_msg_len); if (msg_icv) { - if (os_memcmp(msg_icv, icv, - mka_alg_tbl[kay->mka_algindex].icv_len) != 0) { + if (os_memcmp_const(msg_icv, icv, + mka_alg_tbl[kay->mka_algindex].icv_len) != + 0) { wpa_printf(MSG_ERROR, "KaY: Computed ICV is not equal to Received ICV"); return -1; -- 2.1.4