1 From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Mon, 24 Jun 2019 23:01:06 +0300
4 Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >=
7 This reduces differences in timing and memory access within the
8 hunting-and-pecking loop for ECC groups that have a prime that is not
9 close to a power of two (e.g., Brainpool curves).
11 Signed-off-by: Jouni Malinen <j@w1.fi>
12 (cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)
14 src/common/sae.c | 15 ++++++++++++---
15 1 file changed, 12 insertions(+), 3 deletions(-)
17 --- a/src/common/sae.c
18 +++ b/src/common/sae.c
19 @@ -304,6 +304,8 @@ static int sae_test_pwd_seed_ecc(struct
20 struct crypto_bignum *y_sqr, *x_cand;
24 + unsigned int in_range;
26 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
28 @@ -317,8 +319,13 @@ static int sae_test_pwd_seed_ecc(struct
29 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
30 pwd_value, sae->tmp->prime_len);
32 - if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
34 + cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
35 + /* Create a const_time mask for selection based on prf result
36 + * being smaller than prime. */
37 + in_range = const_time_fill_msb((unsigned int) cmp_prime);
38 + /* The algorithm description would skip the next steps if
39 + * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
40 + * minimize externally observable differences in behavior. */
42 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
44 @@ -330,7 +337,9 @@ static int sae_test_pwd_seed_ecc(struct
46 res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
47 crypto_bignum_deinit(y_sqr, 1);
51 + return const_time_select_int(in_range, res, 0);
projects / openwrt / staging / dedeckeh.git / blob