From 7bed9bf10fc8d05df34c7efc66e8b4ade37a1a0c Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 8 Sep 2019 23:53:18 +0200 Subject: hostapd: SAE/EAP-pwd side-channel attack update Fixes this security problem: * SAE/EAP-pwd side-channel attack update https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt Signed-off-by: Hauke Mehrtens --- ...-const_time_memcmp-for-pwd_value-prime-co.patch | 65 ++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch (limited to 'package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch') diff --git a/package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch b/package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch new file mode 100644 index 0000000000..6bbda2bdb6 --- /dev/null +++ b/package/network/services/hostapd/patches/066-0002-EAP-pwd-Use-const_time_memcmp-for-pwd_value-prime-co.patch @@ -0,0 +1,65 @@ +From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 25 Apr 2019 19:07:05 +0300 +Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime + comparison + +This reduces timing and memory access pattern differences for an +operation that could depend on the used password. + +Signed-off-by: Jouni Malinen +(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c) +--- + src/eap_common/eap_pwd_common.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_gro + u8 qnr_bin[MAX_ECC_PRIME_LEN]; + u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; + u8 x_bin[MAX_ECC_PRIME_LEN]; ++ u8 prime_bin[MAX_ECC_PRIME_LEN]; + struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; + struct crypto_hash *hash; + unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; +@@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_gro + os_memset(x_bin, 0, sizeof(x_bin)); + + prime = crypto_ec_get_prime(grp->group); ++ primebitlen = crypto_ec_prime_len_bits(grp->group); ++ primebytelen = crypto_ec_prime_len(grp->group); ++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), ++ primebytelen) < 0) ++ return -1; + cofactor = crypto_bignum_init(); + grp->pwe = crypto_ec_point_init(grp->group); + tmp1 = crypto_bignum_init(); +@@ -176,8 +182,6 @@ int compute_password_element(EAP_PWD_gro + "curve"); + goto fail; + } +- primebitlen = crypto_ec_prime_len_bits(grp->group); +- primebytelen = crypto_ec_prime_len(grp->group); + if ((prfbuf = os_malloc(primebytelen)) == NULL) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " + "buffer"); +@@ -243,6 +247,8 @@ int compute_password_element(EAP_PWD_gro + if (primebitlen % 8) + buf_shift_right(prfbuf, primebytelen, + 8 - primebitlen % 8); ++ if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) ++ continue; + + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); +@@ -252,9 +258,6 @@ int compute_password_element(EAP_PWD_gro + goto fail; + } + +- if (crypto_bignum_cmp(x_candidate, prime) >= 0) +- continue; +- + wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", + prfbuf, primebytelen); + const_time_select_bin(found, x_bin, prfbuf, primebytelen, -- cgit v1.2.3