CVS commit: src/external/bsd/wpa/dist/src/common

Thu, 08 Aug 2019 02:57:04 -0700 

Module Name:    src
Committed By:   christos
Date:           Thu Aug  8 09:56:10 UTC 2019

Modified Files:
        src/external/bsd/wpa/dist/src/common: sae.c

Log Message:
SAE: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen <j...@w1.fi>
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/wpa/dist/src/common/sae.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/wpa/dist/src/common/sae.c
diff -u src/external/bsd/wpa/dist/src/common/sae.c:1.8 src/external/bsd/wpa/dist/src/common/sae.c:1.9
--- src/external/bsd/wpa/dist/src/common/sae.c:1.8	Thu Aug  8 04:55:48 2019
+++ src/external/bsd/wpa/dist/src/common/sae.c	Thu Aug  8 05:56:10 2019
@@ -281,6 +281,8 @@ static int sae_test_pwd_seed_ecc(struct 
 	struct crypto_bignum *y_sqr, *x_cand;
 	int res;
 	size_t bits;
+	int cmp_prime;
+	unsigned int in_range;
 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
 
@@ -294,8 +296,13 @@ static int sae_test_pwd_seed_ecc(struct 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
 			pwd_value, sae->tmp->prime_len);
 
-	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
-		return 0;
+	cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
+	/* Create a const_time mask for selection based on prf result
+	 * being smaller than prime. */
+	in_range = const_time_fill_msb((unsigned int) cmp_prime);
+	/* The algorithm description would skip the next steps if
+	 * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
+	 * minimize externally observable differences in behavior. */
 
 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
 	if (!x_cand)
@@ -307,7 +314,9 @@ static int sae_test_pwd_seed_ecc(struct 
 
 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
 	crypto_bignum_deinit(y_sqr, 1);
-	return res;
+	if (res < 0)
+		return res;
+	return const_time_select_int(in_range, res, 0);
 }

Reply via email to