Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/bsd/wpa/dist/src/common SAE: Run through prf result...

details:   https://anonhg.NetBSD.org/src/rev/7dcc04906b4c
branches:  trunk
changeset: 458736:7dcc04906b4c
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Aug 08 09:56:10 2019 +0000

description:
SAE: Run through prf result processing even if it >= prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen <j%w1.fi@localhost>
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)

diffstat:

 external/bsd/wpa/dist/src/common/sae.c |  15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diffs (39 lines):

diff -r dd95de20f086 -r 7dcc04906b4c external/bsd/wpa/dist/src/common/sae.c
--- a/external/bsd/wpa/dist/src/common/sae.c    Thu Aug 08 09:55:32 2019 +0000
+++ b/external/bsd/wpa/dist/src/common/sae.c    Thu Aug 08 09:56:10 2019 +0000
@@ -281,6 +281,8 @@
        struct crypto_bignum *y_sqr, *x_cand;
        int res;
        size_t bits;
+       int cmp_prime;
+       unsigned int in_range;
 
        wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
 
@@ -294,8 +296,13 @@
        wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
                        pwd_value, sae->tmp->prime_len);
 
-       if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
-               return 0;
+       cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
+       /* Create a const_time mask for selection based on prf result
+        * being smaller than prime. */
+       in_range = const_time_fill_msb((unsigned int) cmp_prime);
+       /* The algorithm description would skip the next steps if
+        * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
+        * minimize externally observable differences in behavior. */
 
        x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
        if (!x_cand)
@@ -307,7 +314,9 @@
 
        res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
        crypto_bignum_deinit(y_sqr, 1);
-       return res;
+       if (res < 0)
+               return res;
+       return const_time_select_int(in_range, res, 0);
 }
Home | Main Index | Thread Index | Old Index