EAP-pwd: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen <j@w1.fi>

src/eap_common/eap_pwd_common.c

@@ -137,6 +137,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 	struct crypto_bignum *x_candidate = NULL;
 	const struct crypto_bignum *prime;
 	u8 found_ctr = 0, is_odd = 0;
+	int cmp_prime;
+	unsigned int in_range;
 
 	if (grp->pwe)
 		return -1;
@@ -205,8 +207,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 		if (primebitlen % 8)
 			buf_shift_right(prfbuf, primebytelen,
 					8 - primebitlen % 8);
-		if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
-			continue;
+		cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
+		/* Create a const_time mask for selection based on prf result
+		 * being smaller than prime. */
+		in_range = const_time_fill_msb((unsigned int) cmp_prime);
+		/* The algorithm description would skip the next steps if
+		 * cmp_prime >= 0, but go through them regardless to minimize
+		 * externally observable differences in behavior. */
 
 		crypto_bignum_deinit(x_candidate, 1);
 		x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -237,9 +244,10 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 			goto fail;
 		found_ctr = const_time_select_u8(found, found_ctr, ctr);
 		/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
-		 * (with res converted to 0/0xff) handles this in constant time.
+		 * (with res converted to 0/0xff and masked with prf being below
+		 * prime) handles this in constant time.
 		 */
-		found |= res * 0xff;
+		found |= (res & in_range) * 0xff;
 	}
 	if (found == 0) {
 		wpa_printf(MSG_INFO,