SAE: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 65f87b0..de1ee5e 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -403,7 +403,7 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
                return -1;
        if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
                        addr, ETH_ALEN, mac) < 0 ||
-           os_memcmp(token, mac, SHA256_MAC_LEN) != 0)
+           os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0)
                return -1;
 
        return 0;

diff --git a/src/common/sae.c b/src/common/sae.c
index c1b488e..b67623f 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1051,7 +1051,7 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
                                   sae->tmp->own_commit_element_ffc,
                                   verifier);
 
-       if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+       if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
                wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
                wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
                            data + 2, SHA256_MAC_LEN);