[src/trunk]: src/external/bsd/wpa/dist/src/eap_common EAP-pwd: Use const_time...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e5793ab91a3b
branches:  trunk
changeset: 458734:e5793ab91a3b
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Aug 08 08:58:40 2019 +0000

description:
EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison

This reduces timing and memory access pattern differences for an
operation that could depend on the used password.

diffstat:

 external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c |  13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diffs (51 lines):

diff -r b01fa3f65f76 -r e5793ab91a3b external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c
--- a/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c     Thu Aug 08 08:55:48 2019 +0000
+++ b/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c     Thu Aug 08 08:58:40 2019 +0000
@@ -131,6 +131,7 @@
        u8 qnr_bin[MAX_ECC_PRIME_LEN];
        u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
        u8 x_bin[MAX_ECC_PRIME_LEN];
+       u8 prime_bin[MAX_ECC_PRIME_LEN];
        struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
        struct crypto_hash *hash;
        unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
@@ -148,6 +149,11 @@
        os_memset(x_bin, 0, sizeof(x_bin));
 
        prime = crypto_ec_get_prime(grp->group);
+       primebitlen = crypto_ec_prime_len_bits(grp->group);
+       primebytelen = crypto_ec_prime_len(grp->group);
+       if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+                                primebytelen) < 0)
+               return -1;
        cofactor = crypto_bignum_init();
        grp->pwe = crypto_ec_point_init(grp->group);
        tmp1 = crypto_bignum_init();
@@ -163,8 +169,6 @@
                           "curve");
                goto fail;
        }
-       primebitlen = crypto_ec_prime_len_bits(grp->group);
-       primebytelen = crypto_ec_prime_len(grp->group);
        if ((prfbuf = os_malloc(primebytelen)) == NULL) {
                wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
                           "buffer");
@@ -230,6 +234,8 @@
                if (primebitlen % 8)
                        buf_shift_right(prfbuf, primebytelen,
                                        8 - primebitlen % 8);
+               if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
+                       continue;
 
                crypto_bignum_deinit(x_candidate, 1);
                x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
@@ -239,9 +245,6 @@
                        goto fail;
                }
 
-               if (crypto_bignum_cmp(x_candidate, prime) >= 0)
-                       continue;
-
                wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
                                prfbuf, primebytelen);
                const_time_select_bin(found, x_bin, prfbuf, primebytelen,