SAE: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 65f87b0d52bdd3ae5fbe81bce7029b6e68dc2304..de1ee5ed0ec29134652cb337e0eda8a1a4878a49 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -403,7 +403,7 @@ static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
                return -1;
        if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
                        addr, ETH_ALEN, mac) < 0 ||
-           os_memcmp(token, mac, SHA256_MAC_LEN) != 0)
+           os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0)
                return -1;
 
        return 0;

diff --git a/src/common/sae.c b/src/common/sae.c
index c1b488e912be9e4b2ce14a16da2bf830b9e03570..b67623f8cc63ebf5954f7afd5721c4c622ada953 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1051,7 +1051,7 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
                                   sae->tmp->own_commit_element_ffc,
                                   verifier);
 
-       if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+       if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
                wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
                wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
                            data + 2, SHA256_MAC_LEN);