diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch')
| -rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch new file mode 100644 index 0000000000..d2ae8188e1 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch @@ -0,0 +1,139 @@ +From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Sat, 2 Mar 2019 16:05:56 +0200 +Subject: [PATCH 09/14] SAE: Use constant time operations in + sae_test_pwd_seed_ffc() + +Try to avoid showing externally visible timing or memory access +differences regardless of whether the derived pwd-value is smaller than +the group prime. + +This is related to CVE-2019-9494. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Adrian Bunk <bunk@stusta.de> +Upstream-Status: Backport +CVE: CVE-2019-9494 +--- + src/common/sae.c | 75 ++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 46 insertions(+), 29 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index fa9a145..eaf825d 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -334,14 +334,17 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, + } + + ++/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided ++ * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */ + static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, + struct crypto_bignum *pwe) + { + u8 pwd_value[SAE_MAX_PRIME_LEN]; + size_t bits = sae->tmp->prime_len * 8; + u8 exp[1]; +- struct crypto_bignum *a, *b; +- int res; ++ struct crypto_bignum *a, *b = NULL; ++ int res, is_val; ++ u8 pwd_value_valid; + + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); + +@@ -353,16 +356,29 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, + sae->tmp->prime_len); + +- if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0) +- { +- wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p"); +- return 0; +- } ++ /* Check whether pwd-value < p */ ++ res = const_time_memcmp(pwd_value, sae->tmp->dh->prime, ++ sae->tmp->prime_len); ++ /* pwd-value >= p is invalid, so res is < 0 for the valid cases and ++ * the negative sign can be used to fill the mask for constant time ++ * selection */ ++ pwd_value_valid = const_time_fill_msb(res); ++ ++ /* If pwd-value >= p, force pwd-value to be < p and perform the ++ * calculations anyway to hide timing difference. The derived PWE will ++ * be ignored in that case. */ ++ pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0); + + /* PWE = pwd-value^((p-1)/r) modulo p */ + ++ res = -1; + a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); ++ if (!a) ++ goto fail; + ++ /* This is an optimization based on the used group that does not depend ++ * on the password in any way, so it is fine to use separate branches ++ * for this step without constant time operations. */ + if (sae->tmp->dh->safe_prime) { + /* + * r = (p-1)/2 for the group used here, so this becomes: +@@ -376,33 +392,34 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, + b = crypto_bignum_init_set(exp, sizeof(exp)); + if (b == NULL || + crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || +- crypto_bignum_div(b, sae->tmp->order, b) < 0) { +- crypto_bignum_deinit(b, 0); +- b = NULL; +- } ++ crypto_bignum_div(b, sae->tmp->order, b) < 0) ++ goto fail; + } + +- if (a == NULL || b == NULL) +- res = -1; +- else +- res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); +- +- crypto_bignum_deinit(a, 0); +- crypto_bignum_deinit(b, 0); ++ if (!b) ++ goto fail; + +- if (res < 0) { +- wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE"); +- return -1; +- } ++ res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); ++ if (res < 0) ++ goto fail; + +- /* if (PWE > 1) --> found */ +- if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) { +- wpa_printf(MSG_DEBUG, "SAE: PWE <= 1"); +- return 0; +- } ++ /* There were no fatal errors in calculations, so determine the return ++ * value using constant time operations. We get here for number of ++ * invalid cases which are cleared here after having performed all the ++ * computation. PWE is valid if pwd-value was less than prime and ++ * PWE > 1. Start with pwd-value check first and then use constant time ++ * operations to clear res to 0 if PWE is 0 or 1. ++ */ ++ res = const_time_select_u8(pwd_value_valid, 1, 0); ++ is_val = crypto_bignum_is_zero(pwe); ++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0); ++ is_val = crypto_bignum_is_one(pwe); ++ res = const_time_select_u8(const_time_is_zero(is_val), res, 0); + +- wpa_printf(MSG_DEBUG, "SAE: PWE found"); +- return 1; ++fail: ++ crypto_bignum_deinit(a, 1); ++ crypto_bignum_deinit(b, 1); ++ return res; + } + + +-- +2.7.4 + |