--- /dev/null
+From aaf65feac67c3993935634eefe5bc76b9fce03aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 26 Feb 2019 11:59:45 +0200
+Subject: [PATCH 04/14] EAP-pwd: Use constant time and memory access for
+ finding the PWE
+
+This algorithm could leak information to external observers in form of
+timing differences or memory access patterns (cache use). While the
+previous implementation had protection against the most visible timing
+differences (looping 40 rounds and masking the legendre operation), it
+did not protect against memory access patterns between the two possible
+code paths in the masking operations. That might be sufficient to allow
+an unprivileged process running on the same device to be able to
+determine which path is being executed through a cache attack and based
+on that, determine information about the used password.
+
+Convert the PWE finding loop to use constant time functions and
+identical memory access path without different branches for the QR/QNR
+cases to minimize possible side-channel information similarly to the
+changes done for SAE authentication. (CVE-2019-9495)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/eap_common/eap_pwd_common.c | 187 +++++++++++++++++++++-------------------
+ 1 file changed, 99 insertions(+), 88 deletions(-)
+
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -8,11 +8,15 @@
+
+ #include "includes.h"
+ #include "common.h"
++#include "utils/const_time.h"
+ #include "crypto/sha256.h"
+ #include "crypto/crypto.h"
+ #include "eap_defs.h"
+ #include "eap_pwd_common.h"
+
++#define MAX_ECC_PRIME_LEN 66
++
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ struct crypto_hash * eap_pwd_h_init(void)
+ {
+@@ -102,6 +106,15 @@ EAP_PWD_group * get_eap_pwd_group(u16 nu
+ }
+
+
++static void buf_shift_right(u8 *buf, size_t len, size_t bits)
++{
++ size_t i;
++ for (i = len - 1; i > 0; i--)
++ buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
++ buf[0] >>= bits;
++}
++
++
+ /*
+ * compute a "random" secret point on an elliptic curve based
+ * on the password and identities.
+@@ -113,17 +126,27 @@ int compute_password_element(EAP_PWD_gro
+ const u8 *token)
+ {
+ struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
++ struct crypto_bignum *qr_or_qnr = NULL;
++ u8 qr_bin[MAX_ECC_PRIME_LEN];
++ u8 qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
++ u8 x_bin[MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+- int is_odd, ret = 0, check, found = 0;
+- size_t primebytelen, primebitlen;
+- struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
++ int ret = 0, check, res;
++ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
++ * mask */
++ size_t primebytelen = 0, primebitlen;
++ struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
+ const struct crypto_bignum *prime;
++ u8 mask, found_ctr = 0, is_odd = 0;
+
+ if (grp->pwe)
+ return -1;
+
++ os_memset(x_bin, 0, sizeof(x_bin));
++
+ prime = crypto_ec_get_prime(grp->group);
+ cofactor = crypto_bignum_init();
+ grp->pwe = crypto_ec_point_init(grp->group);
+@@ -152,8 +175,6 @@ int compute_password_element(EAP_PWD_gro
+
+ /* get a random quadratic residue and nonresidue */
+ while (!qr || !qnr) {
+- int res;
+-
+ if (crypto_bignum_rand(tmp1, prime) < 0)
+ goto fail;
+ res = crypto_bignum_legendre(tmp1, prime);
+@@ -167,6 +188,11 @@ int compute_password_element(EAP_PWD_gro
+ if (!tmp1)
+ goto fail;
+ }
++ if (crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
++ primebytelen) < 0 ||
++ crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
++ primebytelen) < 0)
++ goto fail;
+
+ os_memset(prfbuf, 0, primebytelen);
+ ctr = 0;
+@@ -194,17 +220,16 @@ int compute_password_element(EAP_PWD_gro
+ eap_pwd_h_update(hash, &ctr, sizeof(ctr));
+ eap_pwd_h_final(hash, pwe_digest);
+
+- crypto_bignum_deinit(rnd, 1);
+- rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
+- if (!rnd) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
+- goto fail;
+- }
++ is_odd = const_time_select_u8(
++ found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
+ if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
+ (u8 *) "EAP-pwd Hunting And Pecking",
+ os_strlen("EAP-pwd Hunting And Pecking"),
+ prfbuf, primebitlen) < 0)
+ goto fail;
++ if (primebitlen % 8)
++ buf_shift_right(prfbuf, primebytelen,
++ 8 - primebitlen % 8);
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -214,24 +239,13 @@ int compute_password_element(EAP_PWD_gro
+ goto fail;
+ }
+
+- /*
+- * eap_pwd_kdf() returns a string of bits 0..primebitlen but
+- * BN_bin2bn will treat that string of bits as a big endian
+- * number. If the primebitlen is not an even multiple of 8
+- * then excessive bits-- those _after_ primebitlen-- so now
+- * we have to shift right the amount we masked off.
+- */
+- if ((primebitlen % 8) &&
+- crypto_bignum_rshift(x_candidate,
+- (8 - (primebitlen % 8)),
+- x_candidate) < 0)
+- goto fail;
+-
+ if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+ continue;
+
+- wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
+- prfbuf, primebytelen);
++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
++ prfbuf, primebytelen);
++ const_time_select_bin(found, x_bin, prfbuf, primebytelen,
++ x_bin);
+
+ /*
+ * compute y^2 using the equation of the curve
+@@ -260,13 +274,15 @@ int compute_password_element(EAP_PWD_gro
+ * Flip a coin, multiply by the random quadratic residue or the
+ * random quadratic nonresidue and record heads or tails.
+ */
+- if (crypto_bignum_is_odd(tmp1)) {
+- crypto_bignum_mulmod(tmp2, qr, prime, tmp2);
+- check = 1;
+- } else {
+- crypto_bignum_mulmod(tmp2, qnr, prime, tmp2);
+- check = -1;
+- }
++ mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
++ check = const_time_select_s8(mask, 1, -1);
++ const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
++ qr_or_qnr_bin);
++ crypto_bignum_deinit(qr_or_qnr, 1);
++ qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
++ if (!qr_or_qnr ||
++ crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
++ goto fail;
+
+ /*
+ * Now it's safe to do legendre, if check is 1 then it's
+@@ -274,59 +290,12 @@ int compute_password_element(EAP_PWD_gro
+ * change result), if check is -1 then it's the opposite test
+ * (multiplying a qr by qnr would make a qnr).
+ */
+- if (crypto_bignum_legendre(tmp2, prime) == check) {
+- if (found == 1)
+- continue;
+-
+- /* need to unambiguously identify the solution */
+- is_odd = crypto_bignum_is_odd(rnd);
+-
+- /*
+- * We know x_candidate is a quadratic residue so set
+- * it here.
+- */
+- if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
+- x_candidate,
+- is_odd) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Could not solve for y");
+- continue;
+- }
+-
+- /*
+- * If there's a solution to the equation then the point
+- * must be on the curve so why check again explicitly?
+- * OpenSSL code says this is required by X9.62. We're
+- * not X9.62 but it can't hurt just to be sure.
+- */
+- if (!crypto_ec_point_is_on_curve(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is not on curve");
+- continue;
+- }
+-
+- if (!crypto_bignum_is_one(cofactor)) {
+- /* make sure the point is not in a small
+- * sub-group */
+- if (crypto_ec_point_mul(grp->group, grp->pwe,
+- cofactor,
+- grp->pwe) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: cannot multiply generator by order");
+- continue;
+- }
+- if (crypto_ec_point_is_at_infinity(grp->group,
+- grp->pwe)) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: point is at infinity");
+- continue;
+- }
+- }
+- wpa_printf(MSG_DEBUG,
+- "EAP-pwd: found a PWE in %d tries", ctr);
+- found = 1;
+- }
++ res = crypto_bignum_legendre(tmp2, prime);
++ if (res == -2)
++ goto fail;
++ mask = const_time_eq(res, check);
++ found_ctr = const_time_select_u8(found, found_ctr, ctr);
++ found |= mask;
+ }
+ if (found == 0) {
+ wpa_printf(MSG_INFO,
+@@ -334,6 +303,44 @@ int compute_password_element(EAP_PWD_gro
+ num);
+ goto fail;
+ }
++
++ /*
++ * We know x_candidate is a quadratic residue so set it here.
++ */
++ crypto_bignum_deinit(x_candidate, 1);
++ x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
++ if (!x_candidate ||
++ crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
++ is_odd) != 0) {
++ wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++ goto fail;
++ }
++
++ /*
++ * If there's a solution to the equation then the point must be on the
++ * curve so why check again explicitly? OpenSSL code says this is
++ * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
++ */
++ if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
++ goto fail;
++ }
++
++ if (!crypto_bignum_is_one(cofactor)) {
++ /* make sure the point is not in a small sub-group */
++ if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
++ grp->pwe) != 0) {
++ wpa_printf(MSG_INFO,
++ "EAP-pwd: cannot multiply generator by order");
++ goto fail;
++ }
++ if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
++ wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
++ goto fail;
++ }
++ }
++ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
++
+ if (0) {
+ fail:
+ crypto_ec_point_deinit(grp->pwe, 1);
+@@ -343,14 +350,18 @@ int compute_password_element(EAP_PWD_gro
+ /* cleanliness and order.... */
+ crypto_bignum_deinit(cofactor, 1);
+ crypto_bignum_deinit(x_candidate, 1);
+- crypto_bignum_deinit(rnd, 1);
+ crypto_bignum_deinit(pm1, 0);
+ crypto_bignum_deinit(tmp1, 1);
+ crypto_bignum_deinit(tmp2, 1);
+ crypto_bignum_deinit(qr, 1);
+ crypto_bignum_deinit(qnr, 1);
++ crypto_bignum_deinit(qr_or_qnr, 1);
+ crypto_bignum_deinit(one, 0);
+- os_free(prfbuf);
++ bin_clear_free(prfbuf, primebytelen);
++ os_memset(qr_bin, 0, sizeof(qr_bin));
++ os_memset(qnr_bin, 0, sizeof(qnr_bin));
++ os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
++ os_memset(pwe_digest, 0, sizeof(pwe_digest));
+
+ return ret;
+ }