6bbda2bdb6c8a749809a24dd58c78db638c40979
[openwrt/staging/adrian.git] /
1 From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Thu, 25 Apr 2019 19:07:05 +0300
4 Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
5 comparison
6
7 This reduces timing and memory access pattern differences for an
8 operation that could depend on the used password.
9
10 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
11 (cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
12 ---
13 src/eap_common/eap_pwd_common.c | 13 ++++++++-----
14 1 file changed, 8 insertions(+), 5 deletions(-)
15
16 --- a/src/eap_common/eap_pwd_common.c
17 +++ b/src/eap_common/eap_pwd_common.c
18 @@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_gro
19 u8 qnr_bin[MAX_ECC_PRIME_LEN];
20 u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
21 u8 x_bin[MAX_ECC_PRIME_LEN];
22 + u8 prime_bin[MAX_ECC_PRIME_LEN];
23 struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
24 struct crypto_hash *hash;
25 unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
26 @@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_gro
27 os_memset(x_bin, 0, sizeof(x_bin));
28
29 prime = crypto_ec_get_prime(grp->group);
30 + primebitlen = crypto_ec_prime_len_bits(grp->group);
31 + primebytelen = crypto_ec_prime_len(grp->group);
32 + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
33 + primebytelen) < 0)
34 + return -1;
35 cofactor = crypto_bignum_init();
36 grp->pwe = crypto_ec_point_init(grp->group);
37 tmp1 = crypto_bignum_init();
38 @@ -176,8 +182,6 @@ int compute_password_element(EAP_PWD_gro
39 "curve");
40 goto fail;
41 }
42 - primebitlen = crypto_ec_prime_len_bits(grp->group);
43 - primebytelen = crypto_ec_prime_len(grp->group);
44 if ((prfbuf = os_malloc(primebytelen)) == NULL) {
45 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
46 "buffer");
47 @@ -243,6 +247,8 @@ int compute_password_element(EAP_PWD_gro
48 if (primebitlen % 8)
49 buf_shift_right(prfbuf, primebytelen,
50 8 - primebitlen % 8);
51 + if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
52 + continue;
53
54 crypto_bignum_deinit(x_candidate, 1);
55 x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
56 @@ -252,9 +258,6 @@ int compute_password_element(EAP_PWD_gro
57 goto fail;
58 }
59
60 - if (crypto_bignum_cmp(x_candidate, prime) >= 0)
61 - continue;
62 -
63 wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
64 prfbuf, primebytelen);
65 const_time_select_bin(found, x_bin, prfbuf, primebytelen,