aboutsummaryrefslogtreecommitdiffstats
path: root/main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch')
-rw-r--r--main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch b/main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
new file mode 100644
index 0000000000..e27cd827e8
--- /dev/null
+++ b/main/hostapd/0019-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch
@@ -0,0 +1,70 @@
+From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 25 Apr 2019 19:07:05 +0300
+Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime
+ comparison
+
+This reduces timing and memory access pattern differences for an
+operation that could depend on the used password.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c)
+---
+ src/eap_common/eap_pwd_common.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 884150e6c..6ca2c8bad 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ u8 x_bin[MAX_ECC_PRIME_LEN];
++ u8 prime_bin[MAX_ECC_PRIME_LEN];
+ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+ struct crypto_hash *hash;
+ unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+@@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+ prime = crypto_ec_get_prime(grp->group);
++ primebitlen = crypto_ec_prime_len_bits(grp->group);
++ primebytelen = crypto_ec_prime_len(grp->group);
++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++ primebytelen) < 0)
++ return -1;
+ grp->pwe = crypto_ec_point_init(grp->group);
+ tmp1 = crypto_bignum_init();
+ pm1 = crypto_bignum_init();
+@@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- primebitlen = crypto_ec_prime_len_bits(grp->group);
+- primebytelen = crypto_ec_prime_len(grp->group);
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+ "buffer");
+@@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ if (primebitlen % 8)
+ buf_shift_right(prfbuf, primebytelen,
+ 8 - primebitlen % 8);
++ if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0)
++ continue;
+
+ crypto_bignum_deinit(x_candidate, 1);
+ x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
+@@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- if (crypto_bignum_cmp(x_candidate, prime) >= 0)
+- continue;
+-
+ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
+ prfbuf, primebytelen);
+ const_time_select_bin(found, x_bin, prfbuf, primebytelen,
+--
+2.20.1
+