openwrt/package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch

From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Mon, 24 Jun 2019 23:01:06 +0300
Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >=
 prime

This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).

Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503)
---
 src/common/sae.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -304,6 +304,8 @@ static int sae_test_pwd_seed_ecc(struct
 	struct crypto_bignum *y_sqr, *x_cand;
 	int res;
 	size_t bits;
+	int cmp_prime;
+	unsigned int in_range;
 
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
 
@@ -317,8 +319,13 @@ static int sae_test_pwd_seed_ecc(struct
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
 			pwd_value, sae->tmp->prime_len);
 
-	if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
-		return 0;
+	cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
+	/* Create a const_time mask for selection based on prf result
+	 * being smaller than prime. */
+	in_range = const_time_fill_msb((unsigned int) cmp_prime);
+	/* The algorithm description would skip the next steps if
+	 * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
+	 * minimize externally observable differences in behavior. */
 
 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
 	if (!x_cand)
@@ -330,7 +337,9 @@ static int sae_test_pwd_seed_ecc(struct
 
 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
 	crypto_bignum_deinit(y_sqr, 1);
-	return res;
+	if (res < 0)
+		return res;
+	return const_time_select_int(in_range, res, 0);
 }