aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer/eap_pwd.c
diff options
context:
space:
mode:
authorDan Harkins <dharkins@lounge.org>2011-11-19 14:47:25 (GMT)
committerJouni Malinen <j@w1.fi>2011-11-19 14:47:25 (GMT)
commite547e071e1f4042d202cfaba4aded8558ec37173 (patch)
treec8555888653f91118aecf75a1c0929a6a8c4154a /src/eap_peer/eap_pwd.c
parent18f5f3de030da1c646585425e95de0f8a2a7432b (diff)
downloadhostap-e547e071e1f4042d202cfaba4aded8558ec37173.zip
hostap-e547e071e1f4042d202cfaba4aded8558ec37173.tar.gz
hostap-e547e071e1f4042d202cfaba4aded8558ec37173.tar.bz2
EAP-pwd: Fix zero-padding of input to H()
Another niceness of OpenSSL is that if the high-order bit of a 521-bit big num is not set then BN_bn2bin() will just return 65 bytes instead of 66 bytes with the 1st (big endian, after all) being all zero. When this happens the wrong number of octets are mixed into function H(). So there's a whole bunch of "offset" computations and BN_bn2bin() dumps the big number into a buffer + offset. That should be obvious in the patch too.
Diffstat (limited to 'src/eap_peer/eap_pwd.c')
-rw-r--r--src/eap_peer/eap_pwd.c47
1 files changed, 33 insertions, 14 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index e4705b7..6511a66 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -465,6 +465,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
u32 cs;
u16 grp;
u8 conf[SHA256_DIGEST_LENGTH], *cruft = NULL, *ptr;
+ int offset;
/*
* first build up the ciphersuite which is group | random_function |
@@ -497,7 +498,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
* value may start with a few zeros and the previous one did not.
*/
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->k, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
+ BN_bn2bin(data->k, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* server element: x, y */
@@ -509,15 +511,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
goto fin;
}
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(x, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
+ BN_bn2bin(x, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(y, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
+ BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* server scalar */
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->server_scalar, cruft);
+ offset = BN_num_bytes(data->grp->order) -
+ BN_num_bytes(data->server_scalar);
+ BN_bn2bin(data->server_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
/* my element: x, y */
@@ -530,15 +536,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
}
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(x, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
+ BN_bn2bin(x, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(y, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
+ BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* my scalar */
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->my_scalar, cruft);
+ offset = BN_num_bytes(data->grp->order) -
+ BN_num_bytes(data->my_scalar);
+ BN_bn2bin(data->my_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
/* the ciphersuite */
@@ -564,7 +574,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
/* k */
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->k, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
+ BN_bn2bin(data->k, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* my element */
@@ -576,15 +587,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
goto fin;
}
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(x, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
+ BN_bn2bin(x, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(y, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
+ BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* my scalar */
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->my_scalar, cruft);
+ offset = BN_num_bytes(data->grp->order) -
+ BN_num_bytes(data->my_scalar);
+ BN_bn2bin(data->my_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
/* server element: x, y */
@@ -596,15 +611,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
goto fin;
}
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(x, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
+ BN_bn2bin(x, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(y, cruft);
+ offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
+ BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
/* server scalar */
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
- BN_bn2bin(data->server_scalar, cruft);
+ offset = BN_num_bytes(data->grp->order) -
+ BN_num_bytes(data->server_scalar);
+ BN_bn2bin(data->server_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
/* the ciphersuite */