diff options
| author | Jouni Malinen <j@w1.fi> | 2019-06-24 23:02:51 +0300 |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2019-07-02 22:19:38 +0300 |
| commit | cd803299ca485eb857e37c88f973fccfbb8600e5 (patch) | |
| tree | a0102e40fa1e237d360737d8f610e1f5c4d08c90 | |
| parent | 147bf7b88a9c231322b5b574263071ca6dbb0503 (diff) | |
| download | hostap-cd803299ca485eb857e37c88f973fccfbb8600e5.tar.gz hostap-cd803299ca485eb857e37c88f973fccfbb8600e5.tar.bz2 hostap-cd803299ca485eb857e37c88f973fccfbb8600e5.zip | |
EAP-pwd: Run through prf result processing even if it >= prime
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Signed-off-by: Jouni Malinen <j@w1.fi>
| -rw-r--r-- | src/eap_common/eap_pwd_common.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 5b4f55c28..2b2b8efdb 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -137,6 +137,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, struct crypto_bignum *x_candidate = NULL; const struct crypto_bignum *prime; u8 found_ctr = 0, is_odd = 0; + int cmp_prime; + unsigned int in_range; if (grp->pwe) return -1; @@ -205,8 +207,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, if (primebitlen % 8) buf_shift_right(prfbuf, primebytelen, 8 - primebitlen % 8); - if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) - continue; + cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen); + /* Create a const_time mask for selection based on prf result + * being smaller than prime. */ + in_range = const_time_fill_msb((unsigned int) cmp_prime); + /* The algorithm description would skip the next steps if + * cmp_prime >= 0, but go through them regardless to minimize + * externally observable differences in behavior. */ crypto_bignum_deinit(x_candidate, 1); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); @@ -237,9 +244,10 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, goto fail; found_ctr = const_time_select_u8(found, found_ctr, ctr); /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them - * (with res converted to 0/0xff) handles this in constant time. + * (with res converted to 0/0xff and masked with prf being below + * prime) handles this in constant time. */ - found |= res * 0xff; + found |= (res & in_range) * 0xff; } if (found == 0) { wpa_printf(MSG_INFO, |
