jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison

Browse source 
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-25 19:07:05 +03:00 committed by Jouni Malinen
parent 8e14b030e5
commit 7958223fdc
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/eap_common/eap_pwd_common.c
View file

@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qnr_bin[MAX_ECC_PRIME_LEN];
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
u8 x_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN];
u8 prime_bin[MAX_ECC_PRIME_LEN];
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
struct crypto_hash *hash; struct crypto_hash *hash;
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
os_memset(x_bin, 0, sizeof(x_bin)); os_memset(x_bin, 0, sizeof(x_bin));
prime = crypto_ec_get_prime(grp->group); prime = crypto_ec_get_prime(grp->group);
primebitlen = crypto_ec_prime_len_bits(grp->group);
primebytelen = crypto_ec_prime_len(grp->group);
if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
primebytelen) < 0)
return -1;
grp->pwe = crypto_ec_point_init(grp->group); grp->pwe = crypto_ec_point_init(grp->group);
tmp1 = crypto_bignum_init(); tmp1 = crypto_bignum_init();
pm1 = crypto_bignum_init(); pm1 = crypto_bignum_init();
@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
goto fail; goto fail;
} }
primebitlen = crypto_ec_prime_len_bits(grp->group);
primebytelen = crypto_ec_prime_len(grp->group);
if ((prfbuf = os_malloc(primebytelen)) == NULL) { if ((prfbuf = os_malloc(primebytelen)) == NULL) {
wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
"buffer"); "buffer");
@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
if (primebitlen % 8) if (primebitlen % 8)
buf_shift_right(prfbuf, primebytelen, buf_shift_right(prfbuf, primebytelen,
8 - primebitlen % 8); 8 - primebitlen % 8);
if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
continue;
crypto_bignum_deinit(x_candidate, 1); crypto_bignum_deinit(x_candidate, 1);
x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
goto fail; goto fail;
} }
if (crypto_bignum_cmp(x_candidate, prime) >= 0)
continue;
wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
prfbuf, primebytelen); prfbuf, primebytelen);
const_time_select_bin(found, x_bin, prfbuf, primebytelen, const_time_select_bin(found, x_bin, prfbuf, primebytelen,