EAP-EKE: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_common/eap_eke_common.c b/src/eap_common/eap_eke_common.c
index a62ac8e0460cb7e3f7ba92fd9f725091b4c1b5dc..4dfdb3f9c96bdff3cca3f4f60e7852e9c3a3076f 100644 (file)
--- a/src/eap_common/eap_eke_common.c
+++ b/src/eap_common/eap_eke_common.c
@@ -692,7 +692,7 @@ int eap_eke_decrypt_prot(struct eap_eke_session *sess,
        if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
                        prot_len - block_size - icv_len, icv) < 0)
                return -1;
-       if (os_memcmp(icv, prot + prot_len - icv_len, icv_len) != 0) {
+       if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) {
                wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
                return -1;
        }

diff --git a/src/eap_peer/eap_eke.c b/src/eap_peer/eap_eke.c
index 6818b08f7ebf5191db519e9ae311d79a9bb98324..0f4e53504a1bd48c01ae159dd1b357ac626efa41 100644 (file)
--- a/src/eap_peer/eap_eke.c
+++ b/src/eap_peer/eap_eke.c
@@ -566,8 +566,8 @@ static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data,
                                          EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
        }
        wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len);
-       if (os_memcmp(auth_s, pos + data->sess.pnonce_ps_len,
-                     data->sess.prf_len) != 0) {
+       if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len,
+                           data->sess.prf_len) != 0) {
                wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match");
                return eap_eke_build_fail(data, ret, reqData,
                                          EAP_EKE_FAIL_AUTHENTICATION_FAIL);

diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c
index b19a321af41c83885d76a4ef9bfa93d924c336f4..47ce2464aa88c6bbef0d6c5c8abac3382ca4cb77 100644 (file)
--- a/src/eap_server/eap_server_eke.c
+++ b/src/eap_server/eap_server_eke.c
@@ -635,8 +635,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm,
                return;
        }
        wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth_p, data->sess.prf_len);
-       if (os_memcmp(auth_p, payload + data->sess.pnonce_len,
-                     data->sess.prf_len) != 0) {
+       if (os_memcmp_const(auth_p, payload + data->sess.pnonce_len,
+                           data->sess.prf_len) != 0) {
                wpa_printf(MSG_INFO, "EAP-EKE: Auth_P does not match");
                eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
                return;