diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch new file mode 100644 index 0000000000..7b8616a66d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0008-SAE-Use-const_time-selection-for-PWE-in-FFC.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | From f8f20717f87eff1f025f48ed585c7684debacf72 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Sat, 2 Mar 2019 12:45:33 +0200 | ||
4 | Subject: [PATCH 08/14] SAE: Use const_time selection for PWE in FFC | ||
5 | |||
6 | This is an initial step towards making the FFC case use strictly | ||
7 | constant time operations similarly to the ECC case. | ||
8 | sae_test_pwd_seed_ffc() does not yet have constant time behavior, | ||
9 | though. | ||
10 | |||
11 | This is related to CVE-2019-9494. | ||
12 | |||
13 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
14 | Signed-off-by: Adrian Bunk <bunk@stusta.de> | ||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2019-9494 | ||
17 | --- | ||
18 | src/common/sae.c | 53 +++++++++++++++++++++++++++++++++++------------------ | ||
19 | 1 file changed, 35 insertions(+), 18 deletions(-) | ||
20 | |||
21 | diff --git a/src/common/sae.c b/src/common/sae.c | ||
22 | index 75b1b4a..fa9a145 100644 | ||
23 | --- a/src/common/sae.c | ||
24 | +++ b/src/common/sae.c | ||
25 | @@ -612,17 +612,28 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, | ||
26 | const u8 *addr2, const u8 *password, | ||
27 | size_t password_len, const char *identifier) | ||
28 | { | ||
29 | - u8 counter, k; | ||
30 | + u8 counter, k, sel_counter = 0; | ||
31 | u8 addrs[2 * ETH_ALEN]; | ||
32 | const u8 *addr[3]; | ||
33 | size_t len[3]; | ||
34 | size_t num_elem; | ||
35 | - int found = 0; | ||
36 | - struct crypto_bignum *pwe = NULL; | ||
37 | + u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* | ||
38 | + * mask */ | ||
39 | + u8 mask; | ||
40 | + struct crypto_bignum *pwe; | ||
41 | + size_t prime_len = sae->tmp->prime_len * 8; | ||
42 | + u8 *pwe_buf; | ||
43 | |||
44 | crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); | ||
45 | sae->tmp->pwe_ffc = NULL; | ||
46 | |||
47 | + /* Allocate a buffer to maintain selected and candidate PWE for constant | ||
48 | + * time selection. */ | ||
49 | + pwe_buf = os_zalloc(prime_len * 2); | ||
50 | + pwe = crypto_bignum_init(); | ||
51 | + if (!pwe_buf || !pwe) | ||
52 | + goto fail; | ||
53 | + | ||
54 | wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", | ||
55 | password, password_len); | ||
56 | |||
57 | @@ -661,27 +672,33 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, | ||
58 | if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem, | ||
59 | addr, len, pwd_seed) < 0) | ||
60 | break; | ||
61 | - if (!pwe) { | ||
62 | - pwe = crypto_bignum_init(); | ||
63 | - if (!pwe) | ||
64 | - break; | ||
65 | - } | ||
66 | res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); | ||
67 | + /* res is -1 for fatal failure, 0 if a valid PWE was not found, | ||
68 | + * or 1 if a valid PWE was found. */ | ||
69 | if (res < 0) | ||
70 | break; | ||
71 | - if (res > 0) { | ||
72 | - found = 1; | ||
73 | - if (!sae->tmp->pwe_ffc) { | ||
74 | - wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); | ||
75 | - sae->tmp->pwe_ffc = pwe; | ||
76 | - pwe = NULL; | ||
77 | - } | ||
78 | - } | ||
79 | + /* Store the candidate PWE into the second half of pwe_buf and | ||
80 | + * the selected PWE in the beginning of pwe_buf using constant | ||
81 | + * time selection. */ | ||
82 | + if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len, | ||
83 | + prime_len) < 0) | ||
84 | + break; | ||
85 | + const_time_select_bin(found, pwe_buf, pwe_buf + prime_len, | ||
86 | + prime_len, pwe_buf); | ||
87 | + sel_counter = const_time_select_u8(found, sel_counter, counter); | ||
88 | + mask = const_time_eq_u8(res, 1); | ||
89 | + found = const_time_select_u8(found, found, mask); | ||
90 | } | ||
91 | |||
92 | - crypto_bignum_deinit(pwe, 1); | ||
93 | + if (!found) | ||
94 | + goto fail; | ||
95 | |||
96 | - return found ? 0 : -1; | ||
97 | + wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter); | ||
98 | + sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); | ||
99 | +fail: | ||
100 | + crypto_bignum_deinit(pwe, 1); | ||
101 | + bin_clear_free(pwe_buf, prime_len * 2); | ||
102 | + return sae->tmp->pwe_ffc ? 0 : -1; | ||
103 | } | ||
104 | |||
105 | |||
106 | -- | ||
107 | 2.7.4 | ||
108 | |||