Skip to content

Commit

Permalink
port fixes from master
Browse files Browse the repository at this point in the history
via the simple expedient of copying the entire function, with
some minor changes to work in v3
  • Loading branch information
alandekok committed Feb 4, 2022
1 parent 600abbb commit 9e5e8f2
Showing 1 changed file with 66 additions and 24 deletions.
90 changes: 66 additions & 24 deletions src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
Original file line number Diff line number Diff line change
Expand Up @@ -248,18 +248,16 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
char const *id_peer, int id_peer_len,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *y_sqrd = NULL, *qr = NULL, *qnr = NULL;
HMAC_CTX *ctx = NULL;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, *xbuf = NULL, *pm1buf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0, found = 0, mask;
int save, i, rbits, qr_or_qnr, save_is_odd = 0, cmp;
unsigned int skip;

ctx = HMAC_CTX_new();
if (ctx == NULL) {
DEBUG("failed allocating HMAC context");
goto fail;
}
BIGNUM *x_candidate = NULL, *rnd = NULL, *y_sqrd = NULL, *qr = NULL, *qnr = NULL, *y1 = NULL, *y2 = NULL, *y = NULL, *exp = NULL;
EVP_MD_CTX *hmac_ctx;
EVP_PKEY *hmac_pkey;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, *xbuf = NULL, *pm1buf = NULL, *y1buf = NULL, *y2buf = NULL, *ybuf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0, found = 0, mask;
int save, i, rbits, qr_or_qnr, save_is_odd = 0, cmp;
unsigned int skip;

MEM(hmac_ctx = EVP_MD_CTX_new());
MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));

switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
Expand Down Expand Up @@ -303,7 +301,11 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
((qr = consttime_BN()) == NULL) ||
((qnr = consttime_BN()) == NULL) ||
((x_candidate = consttime_BN()) == NULL) ||
((y_sqrd = consttime_BN()) == NULL)) {
((y_sqrd = consttime_BN()) == NULL) ||
((y1 = consttime_BN()) == NULL) ||
((y2 = consttime_BN()) == NULL) ||
((y = consttime_BN()) == NULL) ||
((exp = consttime_BN()) == NULL)) {
DEBUG("unable to create bignums");
goto fail;
}
Expand Down Expand Up @@ -332,6 +334,19 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
DEBUG("unable to alloc space for pm1 buffer");
goto fail;
}
if ((y1buf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
DEBUG("unable to alloc space for y1 buffer");
goto fail;
}
if ((y2buf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
DEBUG("unable to alloc space for y2 buffer");
goto fail;
}
if ((ybuf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
DEBUG("unable to alloc space for y buffer");
goto fail;
}


/*
* derive random quadradic residue and quadratic non-residue
Expand Down Expand Up @@ -361,13 +376,19 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
HMAC_Init_ex(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256(),NULL);
HMAC_Update(ctx, (uint8_t *)token, sizeof(*token));
HMAC_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
HMAC_Update(ctx, (uint8_t const *)id_server, id_server_len);
HMAC_Update(ctx, (uint8_t const *)password, password_len);
HMAC_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
pwd_hmac_final(ctx, pwe_digest);
EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));

{
size_t mdlen = SHA256_DIGEST_LENGTH;

EVP_DigestSignFinal(hmac_ctx, pwe_digest, &mdlen);
EVP_MD_CTX_reset(hmac_ctx);
}

BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
Expand Down Expand Up @@ -401,7 +422,7 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* need to unambiguously identify the solution, if there is
* one..
*/
is_odd = BN_is_odd(rnd) ? 1 : 0;
is_odd = BN_is_odd(rnd);

/*
* check whether x^3 + a*x + b is a quadratic residue
Expand Down Expand Up @@ -444,8 +465,21 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* now we can savely construct PWE
*/
BN_bin2bn(xbuf, primebytelen, x_candidate);
if (!EC_POINT_set_compressed_coordinates(session->group, session->pwe,
x_candidate, save_is_odd, NULL)) {
do_equation(session->group, y_sqrd, x_candidate, session->bnctx);
if ( !BN_add(exp, session->prime, BN_value_one()) ||
!BN_rshift(exp, exp, 2) ||
!BN_mod_exp_mont_consttime(y1, y_sqrd, exp, session->prime, session->bnctx, NULL) ||
!BN_sub(y2, session->prime, y1) ||
!BN_bn2bin(y1, y1buf) ||
!BN_bn2bin(y2, y2buf)) {
DEBUG("unable to compute y");
goto fail;
}
mask = const_time_eq(save_is_odd, BN_is_odd(y1));
const_time_select_bin(mask, y1buf, y2buf, primebytelen, ybuf);
if (BN_bin2bn(ybuf, primebytelen, y) == NULL ||
!EC_POINT_set_affine_coordinates(session->group, session->pwe, x_candidate, y, session->bnctx)) {
DEBUG("unable to set point coordinate");
goto fail;
}

Expand All @@ -461,12 +495,20 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
BN_clear_free(qr);
BN_clear_free(qnr);
BN_clear_free(rnd);
BN_clear_free(y1);
BN_clear_free(y2);
BN_clear_free(y);
BN_clear_free(exp);

if (prfbuf) talloc_free(prfbuf);
if (xbuf) talloc_free(xbuf);
if (pm1buf) talloc_free(pm1buf);
if (y1buf) talloc_free(y1buf);
if (y2buf) talloc_free(y2buf);
if (ybuf) talloc_free(ybuf);

HMAC_CTX_free(ctx);
EVP_MD_CTX_free(hmac_ctx);
EVP_PKEY_free(hmac_pkey);

return ret;
}
Expand Down

0 comments on commit 9e5e8f2

Please sign in to comment.