CVS commit: src/external/bsd/wpa/dist/src/eap_common

Thu, 08 Aug 2019 02:57:42 -0700 

Module Name:    src
Committed By:   christos
Date:           Thu Aug  8 09:56:41 UTC 2019

Modified Files:
        src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen <j...@w1.fi>
(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5)


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
    src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c
diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.5
--- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4	Thu Aug  8 04:58:40 2019
+++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c	Thu Aug  8 05:56:41 2019
@@ -142,6 +142,8 @@ int compute_password_element(EAP_PWD_gro
 	struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
 	const struct crypto_bignum *prime;
 	u8 mask, found_ctr = 0, is_odd = 0;
+	int cmp_prime;
+	unsigned int in_range;
 
 	if (grp->pwe)
 		return -1;
@@ -234,8 +236,13 @@ int compute_password_element(EAP_PWD_gro
 		if (primebitlen % 8)
 			buf_shift_right(prfbuf, primebytelen,
 					8 - primebitlen % 8);
-		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
-			continue;
+		cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
+		/* Create a const_time mask for selection based on prf result
+		 * being smaller than prime. */
+		in_range = const_time_fill_msb((unsigned int) cmp_prime);
+		/* The algorithm description would skip the next steps if
+		 * cmp_prime >= 0, but go through them regardless to minimize
+		 * externally observable differences in behavior. */
 
 		crypto_bignum_deinit(x_candidate, 1);
 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -298,7 +305,7 @@ int compute_password_element(EAP_PWD_gro
 			goto fail;
 		mask = const_time_eq(res, check);
 		found_ctr = const_time_select_u8(found, found_ctr, ctr);
-		found |= mask;
+		found |= mask & in_range;
 	}
 	if (found == 0) {
 		wpa_printf(MSG_INFO,

Reply via email to