AES-GCM: Use os_memcmp_const() for hash/password comparisons

This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/aes-gcm.c b/src/crypto/aes-gcm.c
index 3d91c71de2dd93393833000603638f46aaaaa3c1..84294d2d104caae7268d91e98ab6836ac3d68cfb 100644 (file)
--- a/src/crypto/aes-gcm.c
+++ b/src/crypto/aes-gcm.c
@@ -310,7 +310,7 @@ int aes_gcm_ad(const u8 *key, size_t key_len, const u8 *iv, size_t iv_len,
 
        aes_encrypt_deinit(aes);
 
-       if (os_memcmp(tag, T, 16) != 0) {
+       if (os_memcmp_const(tag, T, 16) != 0) {
                wpa_printf(MSG_EXCESSIVE, "GCM: Tag mismatch");
                return -1;
        }