diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 5836cbaac..0dbdff2b9 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -284,6 +284,7 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k, u8 mk[SHA256_DIGEST_LENGTH], *cruft; u8 session_id[SHA256_DIGEST_LENGTH + 1]; u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN]; + int offset; if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL) return -1; @@ -295,16 +296,21 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k, session_id[0] = EAP_TYPE_PWD; H_Init(&ctx); H_Update(&ctx, (u8 *)ciphersuite, sizeof(u32)); - BN_bn2bin(peer_scalar, cruft); + offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar); + os_memset(cruft, 0, BN_num_bytes(grp->prime)); + BN_bn2bin(peer_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(grp->order)); - BN_bn2bin(server_scalar, cruft); + offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar); + os_memset(cruft, 0, BN_num_bytes(grp->prime)); + BN_bn2bin(server_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(grp->order)); H_Final(&ctx, &session_id[1]); /* then compute MK = H(k | commit-peer | commit-server) */ H_Init(&ctx); + offset = BN_num_bytes(grp->prime) - BN_num_bytes(k); os_memset(cruft, 0, BN_num_bytes(grp->prime)); - BN_bn2bin(k, cruft); + BN_bn2bin(k, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(grp->prime)); H_Update(&ctx, commit_peer, SHA256_DIGEST_LENGTH); H_Update(&ctx, commit_server, SHA256_DIGEST_LENGTH); diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index e4705b7e4..6511a6654 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -465,6 +465,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, u32 cs; u16 grp; u8 conf[SHA256_DIGEST_LENGTH], *cruft = NULL, *ptr; + int offset; /* * first build up the ciphersuite which is group | random_function | @@ -497,7 +498,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, * value may start with a few zeros and the previous one did not. */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->k, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); + BN_bn2bin(data->k, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server element: x, y */ @@ -509,15 +511,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->server_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->server_scalar); + BN_bn2bin(data->server_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* my element: x, y */ @@ -530,15 +536,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* my scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->my_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->my_scalar); + BN_bn2bin(data->my_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* the ciphersuite */ @@ -564,7 +574,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, /* k */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->k, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); + BN_bn2bin(data->k, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* my element */ @@ -576,15 +587,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* my scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->my_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->my_scalar); + BN_bn2bin(data->my_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* server element: x, y */ @@ -596,15 +611,19 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->server_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->server_scalar); + BN_bn2bin(data->server_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* the ciphersuite */ diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index dd2557a83..cf714c5f6 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -289,6 +289,7 @@ eap_pwd_build_confirm_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) HMAC_CTX ctx; u8 conf[SHA256_DIGEST_LENGTH], *cruft = NULL, *ptr; u16 grp; + int offset; wpa_printf(MSG_DEBUG, "EAP-pwd: Confirm/Request"); @@ -313,7 +314,8 @@ eap_pwd_build_confirm_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) * First is k */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->k, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); + BN_bn2bin(data->k, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server element: x, y */ @@ -326,15 +328,19 @@ eap_pwd_build_confirm_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->my_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->my_scalar); + BN_bn2bin(data->my_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* peer element: x, y */ @@ -347,15 +353,19 @@ eap_pwd_build_confirm_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* peer scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->peer_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->peer_scalar); + BN_bn2bin(data->peer_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* ciphersuite */ @@ -624,6 +634,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, u32 cs; u16 grp; u8 conf[SHA256_DIGEST_LENGTH], *cruft = NULL, *ptr; + int offset; /* build up the ciphersuite: group | random_function | prf */ grp = htons(data->group_num); @@ -649,7 +660,8 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, /* k */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->k, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); + BN_bn2bin(data->k, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* peer element: x, y */ @@ -661,15 +673,19 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* peer scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->peer_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->peer_scalar); + BN_bn2bin(data->peer_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* server element: x, y */ @@ -682,15 +698,19 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, } os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(x, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); + BN_bn2bin(x, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(y, cruft); + offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); + BN_bn2bin(y, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime)); /* server scalar */ os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - BN_bn2bin(data->my_scalar, cruft); + offset = BN_num_bytes(data->grp->order) - + BN_num_bytes(data->my_scalar); + BN_bn2bin(data->my_scalar, cruft + offset); H_Update(&ctx, cruft, BN_num_bytes(data->grp->order)); /* ciphersuite */