git.librecmc.org Git - librecmc/librecmc.git/blob

   1 From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <jouni@codeaurora.org>
   3 Date: Thu, 25 Apr 2019 19:07:05 +0300
   4 Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
   5  comparison
   6
   7 This reduces timing and memory access pattern differences for an
   8 operation that could depend on the used password.
   9
  10 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
  11 (cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
  12 ---
  13  src/eap_common/eap_pwd_common.c | 13 ++++++++-----
  14  1 file changed, 8 insertions(+), 5 deletions(-)
  15
  16 --- a/src/eap_common/eap_pwd_common.c
  17 +++ b/src/eap_common/eap_pwd_common.c
  18 @@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_gro
  19         u8 qnr_bin[MAX_ECC_PRIME_LEN];
  20         u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
  21         u8 x_bin[MAX_ECC_PRIME_LEN];
  22 +       u8 prime_bin[MAX_ECC_PRIME_LEN];
  23         struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
  24         struct crypto_hash *hash;
  25         unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
  26 @@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_gro
  27         os_memset(x_bin, 0, sizeof(x_bin));
  28
  29         prime = crypto_ec_get_prime(grp->group);
  30 +       primebitlen = crypto_ec_prime_len_bits(grp->group);
  31 +       primebytelen = crypto_ec_prime_len(grp->group);
  32 +       if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
  33 +                                primebytelen) < 0)
  34 +               return -1;
  35         grp->pwe = crypto_ec_point_init(grp->group);
  36         tmp1 = crypto_bignum_init();
  37         pm1 = crypto_bignum_init();
  38 @@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_gro
  39                 goto fail;
  40         }
  41
  42 -       primebitlen = crypto_ec_prime_len_bits(grp->group);
  43 -       primebytelen = crypto_ec_prime_len(grp->group);
  44         if ((prfbuf = os_malloc(primebytelen)) == NULL) {
  45                 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
  46                            "buffer");
  47 @@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_gro
  48                 if (primebitlen % 8)
  49                         buf_shift_right(prfbuf, primebytelen,
  50                                         8 - primebitlen % 8);
  51 +               if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
  52 +                       continue;
  53
  54                 crypto_bignum_deinit(x_candidate, 1);
  55                 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
  56 @@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_gro
  57                         goto fail;
  58                 }
  59
  60 -               if (crypto_bignum_cmp(x_candidate, prime) >= 0)
  61 -                       continue;
  62 -
  63                 wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
  64                                 prfbuf, primebytelen);
  65                 const_time_select_bin(found, x_bin, prfbuf, primebytelen,