CVS commit: src/external/bsd/wpa/dist/src/eap_common

[Christos Zoulas]

Module Name:    src
Committed By:   christos
Date:           Thu Aug  8 08:58:40 UTC 2019

Modified Files:
        src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c

Log Message:
EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
    src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c
diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4
--- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3	Wed Apr 10 13:57:15 2019
+++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c	Thu Aug  8 04:58:40 2019
@@ -131,6 +131,7 @@ int compute_password_element(EAP_PWD_gro
 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 x_bin[MAX_ECC_PRIME_LEN];
+	u8 prime_bin[MAX_ECC_PRIME_LEN];
 	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
 	struct crypto_hash *hash;
 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
@@ -148,6 +149,11 @@ int compute_password_element(EAP_PWD_gro
 	os_memset(x_bin, 0, sizeof(x_bin));
 
 	prime = crypto_ec_get_prime(grp->group);
+	primebitlen = crypto_ec_prime_len_bits(grp->group);
+	primebytelen = crypto_ec_prime_len(grp->group);
+	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+				 primebytelen) < 0)
+		return -1;
 	cofactor = crypto_bignum_init();
 	grp->pwe = crypto_ec_point_init(grp->group);
 	tmp1 = crypto_bignum_init();
@@ -163,8 +169,6 @@ int compute_password_element(EAP_PWD_gro
 			   "curve");
 		goto fail;
 	}
-	primebitlen = crypto_ec_prime_len_bits(grp->group);
-	primebytelen = crypto_ec_prime_len(grp->group);
 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
 			   "buffer");
@@ -230,6 +234,8 @@ int compute_password_element(EAP_PWD_gro
 		if (primebitlen % 8)
 			buf_shift_right(prfbuf, primebytelen,
 					8 - primebitlen % 8);
+		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
+			continue;
 
 		crypto_bignum_deinit(x_candidate, 1);
 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -239,9 +245,6 @@ int compute_password_element(EAP_PWD_gro
 			goto fail;
 		}
 
-		if (crypto_bignum_cmp(x_candidate, prime) >= 0)
-			continue;
-
 		wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
 				prfbuf, primebytelen);
 		const_time_select_bin(found, x_bin, prfbuf, primebytelen,