diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch new file mode 100644 index 0000000000..6cfa7220e1 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Sat, 2 Mar 2019 12:24:09 +0200 | ||
4 | Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24 | ||
5 | |||
6 | These groups have significant probability of coming up with pwd-value | ||
7 | that is equal or greater than the prime and as such, need for going | ||
8 | through the PWE derivation loop multiple times. This can result in | ||
9 | sufficient timing different to allow an external observer to determine | ||
10 | how many rounds are needed and that can leak information about the used | ||
11 | password. | ||
12 | |||
13 | Force at least 40 loop rounds for these MODP groups similarly to the ECC | ||
14 | group design to mask timing. This behavior is not described in IEEE Std | ||
15 | 802.11-2016 for SAE, but it does not result in different values (i.e., | ||
16 | only different timing), so such implementation specific countermeasures | ||
17 | can be done without breaking interoperability with other implementation. | ||
18 | |||
19 | Note: These MODP groups 22, 23, and 24 are not considered sufficiently | ||
20 | strong to be used with SAE (or more or less anything else). As such, | ||
21 | they should never be enabled in runtime configuration for any production | ||
22 | use cases. These changes to introduce additional protection to mask | ||
23 | timing is only for completeness of implementation and not an indication | ||
24 | that these groups should be used. | ||
25 | |||
26 | This is related to CVE-2019-9494. | ||
27 | |||
28 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
29 | Signed-off-by: Adrian Bunk <bunk@stusta.de> | ||
30 | Upstream-Status: Backport | ||
31 | CVE: CVE-2019-9494 | ||
32 | --- | ||
33 | src/common/sae.c | 38 ++++++++++++++++++++++++++++---------- | ||
34 | 1 file changed, 28 insertions(+), 10 deletions(-) | ||
35 | |||
36 | diff --git a/src/common/sae.c b/src/common/sae.c | ||
37 | index 5df9b95..75b1b4a 100644 | ||
38 | --- a/src/common/sae.c | ||
39 | +++ b/src/common/sae.c | ||
40 | @@ -601,22 +601,27 @@ fail: | ||
41 | } | ||
42 | |||
43 | |||
44 | +static int sae_modp_group_require_masking(int group) | ||
45 | +{ | ||
46 | + /* Groups for which pwd-value is likely to be >= p frequently */ | ||
47 | + return group == 22 || group == 23 || group == 24; | ||
48 | +} | ||
49 | + | ||
50 | + | ||
51 | static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, | ||
52 | const u8 *addr2, const u8 *password, | ||
53 | size_t password_len, const char *identifier) | ||
54 | { | ||
55 | - u8 counter; | ||
56 | + u8 counter, k; | ||
57 | u8 addrs[2 * ETH_ALEN]; | ||
58 | const u8 *addr[3]; | ||
59 | size_t len[3]; | ||
60 | size_t num_elem; | ||
61 | int found = 0; | ||
62 | + struct crypto_bignum *pwe = NULL; | ||
63 | |||
64 | - if (sae->tmp->pwe_ffc == NULL) { | ||
65 | - sae->tmp->pwe_ffc = crypto_bignum_init(); | ||
66 | - if (sae->tmp->pwe_ffc == NULL) | ||
67 | - return -1; | ||
68 | - } | ||
69 | + crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); | ||
70 | + sae->tmp->pwe_ffc = NULL; | ||
71 | |||
72 | wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", | ||
73 | password, password_len); | ||
74 | @@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, | ||
75 | len[num_elem] = sizeof(counter); | ||
76 | num_elem++; | ||
77 | |||
78 | - for (counter = 1; !found; counter++) { | ||
79 | + k = sae_modp_group_require_masking(sae->group) ? 40 : 1; | ||
80 | + | ||
81 | + for (counter = 1; counter <= k || !found; counter++) { | ||
82 | u8 pwd_seed[SHA256_MAC_LEN]; | ||
83 | int res; | ||
84 | |||
85 | @@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, | ||
86 | break; | ||
87 | } | ||
88 | |||
89 | - wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); | ||
90 | + wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter); | ||
91 | if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem, | ||
92 | addr, len, pwd_seed) < 0) | ||
93 | break; | ||
94 | - res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc); | ||
95 | + if (!pwe) { | ||
96 | + pwe = crypto_bignum_init(); | ||
97 | + if (!pwe) | ||
98 | + break; | ||
99 | + } | ||
100 | + res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); | ||
101 | if (res < 0) | ||
102 | break; | ||
103 | if (res > 0) { | ||
104 | - wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); | ||
105 | found = 1; | ||
106 | + if (!sae->tmp->pwe_ffc) { | ||
107 | + wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); | ||
108 | + sae->tmp->pwe_ffc = pwe; | ||
109 | + pwe = NULL; | ||
110 | + } | ||
111 | } | ||
112 | } | ||
113 | |||
114 | + crypto_bignum_deinit(pwe, 1); | ||
115 | + | ||
116 | return found ? 0 : -1; | ||
117 | } | ||
118 | |||
119 | -- | ||
120 | 2.7.4 | ||
121 | |||