1eb47c5314ed8d615a0eda228a3d7b3a63a6efb5
[librecmc/librecmc.git] /
1 From 00a6cc73da61b03c146b6c341d0d1e572bcef432 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Mon, 24 Jun 2019 23:02:51 +0300
4 Subject: [PATCH 5/6] EAP-pwd: Run through prf result processing even if it >=
5  prime
6
7 This reduces differences in timing and memory access within the
8 hunting-and-pecking loop for ECC groups that have a prime that is not
9 close to a power of two (e.g., Brainpool curves).
10
11 Signed-off-by: Jouni Malinen <j@w1.fi>
12 (cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)
13 ---
14  src/eap_common/eap_pwd_common.c | 13 ++++++++++---
15  1 file changed, 10 insertions(+), 3 deletions(-)
16
17 --- a/src/eap_common/eap_pwd_common.c
18 +++ b/src/eap_common/eap_pwd_common.c
19 @@ -155,6 +155,8 @@ int compute_password_element(EAP_PWD_gro
20         struct crypto_bignum *x_candidate = NULL;
21         const struct crypto_bignum *prime;
22         u8 mask, found_ctr = 0, is_odd = 0;
23 +       int cmp_prime;
24 +       unsigned int in_range;
25  
26         if (grp->pwe)
27                 return -1;
28 @@ -241,8 +243,13 @@ int compute_password_element(EAP_PWD_gro
29                 if (primebitlen % 8)
30                         buf_shift_right(prfbuf, primebytelen,
31                                         8 - primebitlen % 8);
32 -               if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
33 -                       continue;
34 +               cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
35 +               /* Create a const_time mask for selection based on prf result
36 +                * being smaller than prime. */
37 +               in_range = const_time_fill_msb((unsigned int) cmp_prime);
38 +               /* The algorithm description would skip the next steps if
39 +                * cmp_prime >= 0, but go through them regardless to minimize
40 +                * externally observable differences in behavior. */
41  
42                 crypto_bignum_deinit(x_candidate, 1);
43                 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
44 @@ -306,7 +313,7 @@ int compute_password_element(EAP_PWD_gro
45                         goto fail;
46                 mask = const_time_eq(res, check);
47                 found_ctr = const_time_select_u8(found, found_ctr, ctr);
48 -               found |= mask;
49 +               found |= mask & in_range;
50         }
51         if (found == 0) {
52                 wpa_printf(MSG_INFO,