Module Name: src Committed By: christos Date: Thu Aug 8 08:58:40 UTC 2019
Modified Files: src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c Log Message: EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison This reduces timing and memory access pattern differences for an operation that could depend on the used password. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 --- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 Wed Apr 10 13:57:15 2019 +++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Thu Aug 8 04:58:40 2019 @@ -131,6 +131,7 @@ int compute_password_element(EAP_PWD_gro u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN]; + u8 prime_bin[MAX_ECC_PRIME_LEN]; struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; @@ -148,6 +149,11 @@ int compute_password_element(EAP_PWD_gro os_memset(x_bin, 0, sizeof(x_bin)); prime = crypto_ec_get_prime(grp->group); + primebitlen = crypto_ec_prime_len_bits(grp->group); + primebytelen = crypto_ec_prime_len(grp->group); + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), + primebytelen) < 0) + return -1; cofactor = crypto_bignum_init(); grp->pwe = crypto_ec_point_init(grp->group); tmp1 = crypto_bignum_init(); @@ -163,8 +169,6 @@ int compute_password_element(EAP_PWD_gro "curve"); goto fail; } - primebitlen = crypto_ec_prime_len_bits(grp->group); - primebytelen = crypto_ec_prime_len(grp->group); if ((prfbuf = os_malloc(primebytelen)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " "buffer"); @@ -230,6 +234,8 @@ int compute_password_element(EAP_PWD_gro if (primebitlen % 8) buf_shift_right(prfbuf, primebytelen, 8 - primebitlen % 8); + if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) + continue; crypto_bignum_deinit(x_candidate, 1); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); @@ -239,9 +245,6 @@ int compute_password_element(EAP_PWD_gro goto fail; } - if (crypto_bignum_cmp(x_candidate, prime) >= 0) - continue; - wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", prfbuf, primebytelen); const_time_select_bin(found, x_bin, prfbuf, primebytelen,