1eb47c5314ed8d615a0eda228a3d7b3a63a6efb5
[openwrt/staging/jogo.git] /
1 From 00a6cc73da61b03c146b6c341d0d1e572bcef432 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Mon, 24 Jun 2019 23:02:51 +0300
4 Subject: [PATCH 5/6] EAP-pwd: Run through prf result processing even if it >=
5 prime
6
7 This reduces differences in timing and memory access within the
8 hunting-and-pecking loop for ECC groups that have a prime that is not
9 close to a power of two (e.g., Brainpool curves).
10
11 Signed-off-by: Jouni Malinen <j@w1.fi>
12 (cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)
13 ---
14 src/eap_common/eap_pwd_common.c | 13 ++++++++++---
15 1 file changed, 10 insertions(+), 3 deletions(-)
16
17 --- a/src/eap_common/eap_pwd_common.c
18 +++ b/src/eap_common/eap_pwd_common.c
19 @@ -155,6 +155,8 @@ int compute_password_element(EAP_PWD_gro
20 struct crypto_bignum *x_candidate = NULL;
21 const struct crypto_bignum *prime;
22 u8 mask, found_ctr = 0, is_odd = 0;
23 + int cmp_prime;
24 + unsigned int in_range;
25
26 if (grp->pwe)
27 return -1;
28 @@ -241,8 +243,13 @@ int compute_password_element(EAP_PWD_gro
29 if (primebitlen % 8)
30 buf_shift_right(prfbuf, primebytelen,
31 8 - primebitlen % 8);
32 - if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
33 - continue;
34 + cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
35 + /* Create a const_time mask for selection based on prf result
36 + * being smaller than prime. */
37 + in_range = const_time_fill_msb((unsigned int) cmp_prime);
38 + /* The algorithm description would skip the next steps if
39 + * cmp_prime >= 0, but go through them regardless to minimize
40 + * externally observable differences in behavior. */
41
42 crypto_bignum_deinit(x_candidate, 1);
43 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
44 @@ -306,7 +313,7 @@ int compute_password_element(EAP_PWD_gro
45 goto fail;
46 mask = const_time_eq(res, check);
47 found_ctr = const_time_select_u8(found, found_ctr, ctr);
48 - found |= mask;
49 + found |= mask & in_range;
50 }
51 if (found == 0) {
52 wpa_printf(MSG_INFO,