This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
buf[0] != 'S' || buf[1] != '=' ||
hexstr2bin((char *) (buf + 2), recv_response,
MSCHAPV2_AUTH_RESPONSE_LEN) ||
- os_memcmp(auth_response, recv_response,
- MSCHAPV2_AUTH_RESPONSE_LEN) != 0)
+ os_memcmp_const(auth_response, recv_response,
+ MSCHAPV2_AUTH_RESPONSE_LEN) != 0)
return -1;
return 0;
}
return;
}
- if (os_memcmp(nt_response, expected, 24) == 0) {
+ if (os_memcmp_const(nt_response, expected, 24) == 0) {
const u8 *pw_hash;
u8 pw_hash_buf[16], pw_hash_hash[16];