1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
new file mode 100644
index 0000000000..6cfa7220e1
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
@@ -0,0 +1,121 @@
+From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Sat, 2 Mar 2019 12:24:09 +0200
+Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24
+These groups have significant probability of coming up with pwd-value
+that is equal or greater than the prime and as such, need for going
+through the PWE derivation loop multiple times. This can result in
+sufficient timing different to allow an external observer to determine
+how many rounds are needed and that can leak information about the used
+password.
+Force at least 40 loop rounds for these MODP groups similarly to the ECC
+group design to mask timing. This behavior is not described in IEEE Std
+802.11-2016 for SAE, but it does not result in different values (i.e.,
+only different timing), so such implementation specific countermeasures
+can be done without breaking interoperability with other implementation.
+Note: These MODP groups 22, 23, and 24 are not considered sufficiently
+strong to be used with SAE (or more or less anything else). As such,
+they should never be enabled in runtime configuration for any production
+use cases. These changes to introduce additional protection to mask
+timing is only for completeness of implementation and not an indication
+that these groups should be used.
+This is related to CVE-2019-9494.
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9494
+---
+ src/common/sae.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 5df9b95..75b1b4a 100644
+--- a/src/common/sae.c
+++ b/src/common/sae.c
+@@ -601,22 +601,27 @@ fail:
+ }
+ 
+ 
+static int sae_modp_group_require_masking(int group)
+{
+       /* Groups for which pwd-value is likely to be >= p frequently */
+       return group == 22 || group == 23 || group == 24;
+}
+
+
+ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+                              const u8 *addr2, const u8 *password,
+                              size_t password_len, const char *identifier)
+ {
+-       u8 counter;
+       u8 counter, k;
+        u8 addrs[2 * ETH_ALEN];
+        const u8 *addr[3];
+        size_t len[3];
+        size_t num_elem;
+        int found = 0;
+       struct crypto_bignum *pwe = NULL;
+ 
+-       if (sae->tmp->pwe_ffc == NULL) {
+-               sae->tmp->pwe_ffc = crypto_bignum_init();
+-               if (sae->tmp->pwe_ffc == NULL)
+-                       return -1;
+-       }
+       crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
+       sae->tmp->pwe_ffc = NULL;
+ 
+        wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
+                              password, password_len);
+@@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+        len[num_elem] = sizeof(counter);
+        num_elem++;
+ 
+-       for (counter = 1; !found; counter++) {
+       k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
+
+       for (counter = 1; counter <= k || !found; counter++) {
+                u8 pwd_seed[SHA256_MAC_LEN];
+                int res;
+ 
+@@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
+                        break;
+                }
+ 
+-               wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
+               wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
+                if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
+                                       addr, len, pwd_seed) < 0)
+                        break;
+-               res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
+               if (!pwe) {
+                       pwe = crypto_bignum_init();
+                       if (!pwe)
+                               break;
+               }
+               res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
+                if (res < 0)
+                        break;
+                if (res > 0) {
+-                       wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+                        found = 1;
+                       if (!sae->tmp->pwe_ffc) {
+                               wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
+                               sae->tmp->pwe_ffc = pwe;
+                               pwe = NULL;
+                       }
+                }
+        }
+ 
+       crypto_bignum_deinit(pwe, 1);
+
+        return found ? 0 : -1;
+ }
+ 
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch new file mode 100644 index 0000000000..6cfa7220e1 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0007-SAE-Mask-timing-of-MODP-groups-22-23-24.patch
@@ -0,0 +1,121 @@
	1	From 90839597cc4016b33f00055b12d59174c62770a3 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Sat, 2 Mar 2019 12:24:09 +0200
	4	Subject: [PATCH 07/14] SAE: Mask timing of MODP groups 22, 23, 24
	5
	6	These groups have significant probability of coming up with pwd-value
	7	that is equal or greater than the prime and as such, need for going
	8	through the PWE derivation loop multiple times. This can result in
	9	sufficient timing different to allow an external observer to determine
	10	how many rounds are needed and that can leak information about the used
	11	password.
	12
	13	Force at least 40 loop rounds for these MODP groups similarly to the ECC
	14	group design to mask timing. This behavior is not described in IEEE Std
	15	802.11-2016 for SAE, but it does not result in different values (i.e.,
	16	only different timing), so such implementation specific countermeasures
	17	can be done without breaking interoperability with other implementation.
	18
	19	Note: These MODP groups 22, 23, and 24 are not considered sufficiently
	20	strong to be used with SAE (or more or less anything else). As such,
	21	they should never be enabled in runtime configuration for any production
	22	use cases. These changes to introduce additional protection to mask
	23	timing is only for completeness of implementation and not an indication
	24	that these groups should be used.
	25
	26	This is related to CVE-2019-9494.
	27
	28	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	29	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	30	Upstream-Status: Backport
	31	CVE: CVE-2019-9494
	32	---
	33	src/common/sae.c \| 38 ++++++++++++++++++++++++++++----------
	34	1 file changed, 28 insertions(+), 10 deletions(-)
	35
	36	diff --git a/src/common/sae.c b/src/common/sae.c
	37	index 5df9b95..75b1b4a 100644
	38	--- a/src/common/sae.c
	39	+++ b/src/common/sae.c
	40	@@ -601,22 +601,27 @@ fail:
	41	}
	42
	43
	44	+static int sae_modp_group_require_masking(int group)
	45	+{
	46	+ /* Groups for which pwd-value is likely to be >= p frequently */
	47	+ return group == 22 \|\| group == 23 \|\| group == 24;
	48	+}
	49	+
	50	+
	51	static int sae_derive_pwe_ffc(struct sae_data sae, const u8 addr1,
	52	const u8 addr2, const u8 password,
	53	size_t password_len, const char *identifier)
	54	{
	55	- u8 counter;
	56	+ u8 counter, k;
	57	u8 addrs[2 * ETH_ALEN];
	58	const u8 *addr[3];
	59	size_t len[3];
	60	size_t num_elem;
	61	int found = 0;
	62	+ struct crypto_bignum *pwe = NULL;
	63
	64	- if (sae->tmp->pwe_ffc == NULL) {
	65	- sae->tmp->pwe_ffc = crypto_bignum_init();
	66	- if (sae->tmp->pwe_ffc == NULL)
	67	- return -1;
	68	- }
	69	+ crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
	70	+ sae->tmp->pwe_ffc = NULL;
	71
	72	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
	73	password, password_len);
	74	@@ -640,7 +645,9 @@ static int sae_derive_pwe_ffc(struct sae_data sae, const u8 addr1,
	75	len[num_elem] = sizeof(counter);
	76	num_elem++;
	77
	78	- for (counter = 1; !found; counter++) {
	79	+ k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
	80	+
	81	+ for (counter = 1; counter <= k \|\| !found; counter++) {
	82	u8 pwd_seed[SHA256_MAC_LEN];
	83	int res;
	84
	85	@@ -650,19 +657,30 @@ static int sae_derive_pwe_ffc(struct sae_data sae, const u8 addr1,
	86	break;
	87	}
	88
	89	- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
	90	+ wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
	91	if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
	92	addr, len, pwd_seed) < 0)
	93	break;
	94	- res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
	95	+ if (!pwe) {
	96	+ pwe = crypto_bignum_init();
	97	+ if (!pwe)
	98	+ break;
	99	+ }
	100	+ res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
	101	if (res < 0)
	102	break;
	103	if (res > 0) {
	104	- wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
	105	found = 1;
	106	+ if (!sae->tmp->pwe_ffc) {
	107	+ wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
	108	+ sae->tmp->pwe_ffc = pwe;
	109	+ pwe = NULL;
	110	+ }
	111	}
	112	}
	113
	114	+ crypto_bignum_deinit(pwe, 1);
	115	+
	116	return found ? 0 : -1;
	117	}
	118
	119	--
	120	2.7.4
	121