diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c index d4c3561b5..f6ecf43a3 100644 --- a/src/common/dragonfly.c +++ b/src/common/dragonfly.c @@ -10,6 +10,7 @@ #include "utils/includes.h" #include "utils/common.h" +#include "utils/const_time.h" #include "crypto/crypto.h" #include "dragonfly.h" @@ -60,7 +61,7 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, } -struct crypto_bignum * +static struct crypto_bignum * dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime) { struct crypto_bignum *tmp, *pm1, *one; @@ -80,3 +81,76 @@ dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime) crypto_bignum_deinit(one, 0); return tmp; } + + +int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec, + const u8 *qr, const u8 *qnr, + const struct crypto_bignum *val) +{ + struct crypto_bignum *r, *num, *qr_or_qnr = NULL; + int check, res = -1; + u8 qr_or_qnr_bin[DRAGONFLY_MAX_ECC_PRIME_LEN]; + const struct crypto_bignum *prime; + size_t prime_len; + unsigned int mask; + + prime = crypto_ec_get_prime(ec); + prime_len = crypto_ec_prime_len(ec); + + /* + * Use a blinding technique to mask val while determining whether it is + * a quadratic residue modulo p to avoid leaking timing information + * while determining the Legendre symbol. + * + * v = val + * r = a random number between 1 and p-1, inclusive + * num = (v * r * r) modulo p + */ + r = dragonfly_get_rand_1_to_p_1(prime); + if (!r) + return -1; + + num = crypto_bignum_init(); + if (!num || + crypto_bignum_mulmod(val, r, prime, num) < 0 || + crypto_bignum_mulmod(num, r, prime, num) < 0) + goto fail; + + /* + * Need to minimize differences in handling different cases, so try to + * avoid branches and timing differences. + * + * If r is odd: + * num = (num * qr) module p + * LGR(num, p) = 1 ==> quadratic residue + * else: + * num = (num * qnr) module p + * LGR(num, p) = -1 ==> quadratic residue + * + * mask is set to !odd(r) + */ + mask = const_time_is_zero(crypto_bignum_is_odd(r)); + const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin); + qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len); + if (!qr_or_qnr || + crypto_bignum_mulmod(num, qr_or_qnr, prime, num) < 0) + goto fail; + /* branchless version of check = odd(r) ? 1 : -1, */ + check = const_time_select_int(mask, -1, 1); + + /* Determine the Legendre symbol on the masked value */ + res = crypto_bignum_legendre(num, prime); + if (res == -2) { + res = -1; + goto fail; + } + /* branchless version of res = res == check + * (res is -1, 0, or 1; check is -1 or 1) */ + mask = const_time_eq(res, check); + res = const_time_select_int(mask, 1, 0); +fail: + crypto_bignum_deinit(num, 1); + crypto_bignum_deinit(r, 1); + crypto_bignum_deinit(qr_or_qnr, 1); + return res; +} diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h index d03fb7318..1ec17a45c 100644 --- a/src/common/dragonfly.h +++ b/src/common/dragonfly.h @@ -10,13 +10,17 @@ #ifndef DRAGONFLY_H #define DRAGONFLY_H +#define DRAGONFLY_MAX_ECC_PRIME_LEN 66 + struct crypto_bignum; +struct crypto_ec; int dragonfly_suitable_group(int group, int ecc_only); int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, struct crypto_bignum **qr, struct crypto_bignum **qnr); -struct crypto_bignum * -dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime); +int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec, + const u8 *qr, const u8 *qnr, + const struct crypto_bignum *val); #endif /* DRAGONFLY_H */ diff --git a/src/common/sae.c b/src/common/sae.c index 0d8ed1c5b..634c6a358 100644 --- a/src/common/sae.c +++ b/src/common/sae.c @@ -178,72 +178,6 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key) } -static int is_quadratic_residue_blind(struct sae_data *sae, - const u8 *qr, const u8 *qnr, - const struct crypto_bignum *y_sqr) -{ - struct crypto_bignum *r, *num, *qr_or_qnr = NULL; - int check, res = -1; - u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN]; - size_t prime_len = sae->tmp->prime_len; - unsigned int mask; - - /* - * Use the blinding technique to mask y_sqr while determining - * whether it is a quadratic residue modulo p to avoid leaking - * timing information while determining the Legendre symbol. - * - * v = y_sqr - * r = a random number between 1 and p-1, inclusive - * num = (v * r * r) modulo p - */ - r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime); - if (!r) - return -1; - - num = crypto_bignum_init(); - if (!num || - crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 || - crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0) - goto fail; - - /* - * Need to minimize differences in handling different cases, so try to - * avoid branches and timing differences. - * - * If r_odd: - * num = (num * qr) module p - * LGR(num, p) = 1 ==> quadratic residue - * else: - * num = (num * qnr) module p - * LGR(num, p) = -1 ==> quadratic residue - */ - mask = const_time_is_zero(crypto_bignum_is_odd(r)); - const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin); - qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len); - if (!qr_or_qnr || - crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0) - goto fail; - /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */ - check = const_time_select_int(mask, -1, 1); - - res = crypto_bignum_legendre(num, sae->tmp->prime); - if (res == -2) { - res = -1; - goto fail; - } - /* branchless version of res = res == check - * (res is -1, 0, or 1; check is -1 or 1) */ - mask = const_time_eq(res, check); - res = const_time_select_int(mask, 1, 0); -fail: - crypto_bignum_deinit(num, 1); - crypto_bignum_deinit(r, 1); - crypto_bignum_deinit(qr_or_qnr, 1); - return res; -} - - static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, const u8 *prime, const u8 *qr, const u8 *qnr, u8 *pwd_value) @@ -275,7 +209,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, if (!y_sqr) return -1; - res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr); + res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr, + y_sqr); crypto_bignum_deinit(y_sqr, 1); return res; } diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 4c236364f..72aef4984 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -122,22 +122,21 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, const u8 *token) { struct crypto_bignum *qr = NULL, *qnr = NULL; - struct crypto_bignum *qr_or_qnr = NULL; u8 qr_bin[MAX_ECC_PRIME_LEN]; u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN]; u8 prime_bin[MAX_ECC_PRIME_LEN]; - struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL; + struct crypto_bignum *tmp2 = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; - int ret = 0, check, res; + int ret = 0, res; u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* * mask */ size_t primebytelen = 0, primebitlen; struct crypto_bignum *x_candidate = NULL; const struct crypto_bignum *prime; - u8 mask, found_ctr = 0, is_odd = 0; + u8 found_ctr = 0, is_odd = 0; if (grp->pwe) return -1; @@ -232,47 +231,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, if (!tmp2) goto fail; - /* - * mask tmp2 so doing legendre won't leak timing info - * - * tmp1 is a random number between 1 and p-1 - */ - tmp1 = dragonfly_get_rand_1_to_p_1(prime); - if (!tmp1 || - crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 || - crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0) + res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin, + qnr_bin, tmp2); + if (res < 0) goto fail; - - /* - * Now tmp2 (y^2) is masked, all values between 1 and p-1 - * are equally probable. Multiplying by r^2 does not change - * whether or not tmp2 is a quadratic residue, just masks it. - * - * Flip a coin, multiply by the random quadratic residue or the - * random quadratic nonresidue and record heads or tails. - */ - mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1); - check = const_time_select_s8(mask, 1, -1); - const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen, - qr_or_qnr_bin); - crypto_bignum_deinit(qr_or_qnr, 1); - qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen); - if (!qr_or_qnr || - crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0) - goto fail; - - /* - * Now it's safe to do legendre, if check is 1 then it's - * a straightforward test (multiplying by qr does not - * change result), if check is -1 then it's the opposite test - * (multiplying a qr by qnr would make a qnr). - */ - res = crypto_bignum_legendre(tmp2, prime); - if (res == -2) - goto fail; - mask = const_time_eq(res, check); found_ctr = const_time_select_u8(found, found_ctr, ctr); - found |= mask; + /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them + * (with res converted to 0/0xff) handles this in constant time. + */ + found |= res * 0xff; } if (found == 0) { wpa_printf(MSG_INFO, @@ -313,11 +280,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, } /* cleanliness and order.... */ crypto_bignum_deinit(x_candidate, 1); - crypto_bignum_deinit(tmp1, 1); crypto_bignum_deinit(tmp2, 1); crypto_bignum_deinit(qr, 1); crypto_bignum_deinit(qnr, 1); - crypto_bignum_deinit(qr_or_qnr, 1); bin_clear_free(prfbuf, primebytelen); os_memset(qr_bin, 0, sizeof(qr_bin)); os_memset(qnr_bin, 0, sizeof(qnr_bin));