diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2019-09-08 23:53:18 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2019-09-21 21:16:07 +0200 |
| commit | e289a4133cdd424876aae8a8a9947bee6d1b5230 (patch) | |
| tree | 68ea2af26049d7d491108ac5a08b6906f686ec15 /package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch | |
| parent | a63edb469128aeee7d5fbc93709a25716e982e28 (diff) | |
| download | upstream-e289a4133cdd424876aae8a8a9947bee6d1b5230.tar.gz upstream-e289a4133cdd424876aae8a8a9947bee6d1b5230.tar.bz2 upstream-e289a4133cdd424876aae8a8a9947bee6d1b5230.zip | |
hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bed9bf10fc8d05df34c7efc66e8b4ade37a1a0c)
Diffstat (limited to 'package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch')
| -rw-r--r-- | package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch b/package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch new file mode 100644 index 0000000000..7337cb35bd --- /dev/null +++ b/package/network/services/hostapd/patches/066-0004-SAE-Run-through-prf-result-processing-even-if-it-pri.patch @@ -0,0 +1,54 @@ +From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Mon, 24 Jun 2019 23:01:06 +0300 +Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >= + prime + +This reduces differences in timing and memory access within the +hunting-and-pecking loop for ECC groups that have a prime that is not +close to a power of two (e.g., Brainpool curves). + +Signed-off-by: Jouni Malinen <j@w1.fi> +(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503) +--- + src/common/sae.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -304,6 +304,8 @@ static int sae_test_pwd_seed_ecc(struct + struct crypto_bignum *y_sqr, *x_cand; + int res; + size_t bits; ++ int cmp_prime; ++ unsigned int in_range; + + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); + +@@ -317,8 +319,13 @@ static int sae_test_pwd_seed_ecc(struct + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", + pwd_value, sae->tmp->prime_len); + +- if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) +- return 0; ++ cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); ++ /* Create a const_time mask for selection based on prf result ++ * being smaller than prime. */ ++ in_range = const_time_fill_msb((unsigned int) cmp_prime); ++ /* The algorithm description would skip the next steps if ++ * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to ++ * minimize externally observable differences in behavior. */ + + x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); + if (!x_cand) +@@ -330,7 +337,9 @@ static int sae_test_pwd_seed_ecc(struct + + res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr); + crypto_bignum_deinit(y_sqr, 1); +- return res; ++ if (res < 0) ++ return res; ++ return const_time_select_int(in_range, res, 0); + } + + |