diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2019-09-08 23:53:18 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2019-09-10 21:55:02 +0200 |
commit | e8c5e6177d39c7db7eb90534edc5b259628aca98 (patch) | |
tree | 2b535de18f13c0e475f29caac7e3ab723875df5b /package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch | |
parent | a0c84947043db72f9e1078b009ac039ed2246f2c (diff) | |
download | upstream-e8c5e6177d39c7db7eb90534edc5b259628aca98.tar.gz upstream-e8c5e6177d39c7db7eb90534edc5b259628aca98.tar.bz2 upstream-e8c5e6177d39c7db7eb90534edc5b259628aca98.zip |
hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bed9bf10fc8d05df34c7efc66e8b4ade37a1a0c)
Diffstat (limited to 'package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch')
-rw-r--r-- | package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch b/package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch new file mode 100644 index 0000000000..2d40516c7c --- /dev/null +++ b/package/network/services/hostapd/patches/066-0000-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch @@ -0,0 +1,40 @@ +From 92e1b96c26a84e503847bdd22ebadf697c4031ad Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Apr 2019 17:20:57 +0300 +Subject: EAP-pwd: Disallow ECC groups with a prime under 256 bits + +Based on the SAE implementation guidance update to not allow ECC groups +with a prime that is under 256 bits, reject groups 25, 26, and 27 in +EAP-pwd. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_common/eap_pwd_common.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -85,10 +85,23 @@ static int eap_pwd_kdf(const u8 *key, si + } + + ++static int eap_pwd_suitable_group(u16 num) ++{ ++ /* Do not allow ECC groups with prime under 256 bits based on guidance ++ * for the similar design in SAE. */ ++ return num == 19 || num == 20 || num == 21 || ++ num == 28 || num == 29 || num == 30; ++} ++ ++ + EAP_PWD_group * get_eap_pwd_group(u16 num) + { + EAP_PWD_group *grp; + ++ if (!eap_pwd_suitable_group(num)) { ++ wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num); ++ return NULL; ++ } + grp = os_zalloc(sizeof(EAP_PWD_group)); + if (!grp) + return NULL; |