Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/wpa/dist/src/common SAE: Run through prf result...
details: https://anonhg.NetBSD.org/src/rev/e1dee530597b
branches: trunk
changeset: 964593:e1dee530597b
user: christos <christos%NetBSD.org@localhost>
date: Thu Aug 08 09:56:10 2019 +0000
description:
SAE: Run through prf result processing even if it >= prime
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Signed-off-by: Jouni Malinen <j%w1.fi@localhost>
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)
diffstat:
external/bsd/wpa/dist/src/common/sae.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r f65ae851040c -r e1dee530597b external/bsd/wpa/dist/src/common/sae.c
--- a/external/bsd/wpa/dist/src/common/sae.c Thu Aug 08 09:55:32 2019 +0000
+++ b/external/bsd/wpa/dist/src/common/sae.c Thu Aug 08 09:56:10 2019 +0000
@@ -281,6 +281,8 @@
struct crypto_bignum *y_sqr, *x_cand;
int res;
size_t bits;
+ int cmp_prime;
+ unsigned int in_range;
wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
@@ -294,8 +296,13 @@
wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
pwd_value, sae->tmp->prime_len);
- if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
- return 0;
+ cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
+ /* Create a const_time mask for selection based on prf result
+ * being smaller than prime. */
+ in_range = const_time_fill_msb((unsigned int) cmp_prime);
+ /* The algorithm description would skip the next steps if
+ * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
+ * minimize externally observable differences in behavior. */
x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
if (!x_cand)
@@ -307,7 +314,9 @@
res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
crypto_bignum_deinit(y_sqr, 1);
- return res;
+ if (res < 0)
+ return res;
+ return const_time_select_int(in_range, res, 0);
}
Home |
Main Index |
Thread Index |
Old Index