Accueil Explorer Aide
S'inscrire Connexion
RD_Software
/
linux-arkmicro
2
0
Fork 1
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 4528488b0d
Branches Tags
linux-arkmicro
/
buildroot
/
dl
/
hostapd
/
0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch

0006-SAE-Avoid-branches-in-is_quadratic_residue_blind.patch 4.8 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. From 362704dda04507e7ebb8035122e83d9f0ae7c320 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jouni Malinen <jouni@codeaurora.org>
    3. 

  3. Date: Tue, 26 Feb 2019 19:34:38 +0200
    4. 

  4. Subject: [PATCH 06/14] SAE: Avoid branches in is_quadratic_residue_blind()
    5. 

  5. 

  6. Make the non-failure path in the function proceed without branches based
    7. 

  7. on r_odd and in constant time to minimize risk of observable differences
    8. 

  8. in timing or cache use. (CVE-2019-9494)
    9. 

  9. 

  10. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
    11. 

  11. ---
    12. 

  12.  src/common/sae.c | 64 ++++++++++++++++++++++++++++++++------------------------
    13. 

  13.  1 file changed, 37 insertions(+), 27 deletions(-)
    14. 

  14. 

  15. diff --git a/src/common/sae.c b/src/common/sae.c
    16. 

  16. index d55323b..5df9b95 100644
    17. 

  17. --- a/src/common/sae.c
    18. 

  18. +++ b/src/common/sae.c
    19. 

  19. @@ -232,12 +232,14 @@ get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
    20. 

  20.  
    21. 

  21.  static int is_quadratic_residue_blind(struct sae_data *sae,
    22. 

  22.  				      const u8 *prime, size_t bits,
    23. 

  23. -				      const struct crypto_bignum *qr,
    24. 

  24. -				      const struct crypto_bignum *qnr,
    25. 

  25. +				      const u8 *qr, const u8 *qnr,
    26. 

  26.  				      const struct crypto_bignum *y_sqr)
    27. 

  27.  {
    28. 

  28. -	struct crypto_bignum *r, *num;
    29. 

  29. +	struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
    30. 

  30.  	int r_odd, check, res = -1;
    31. 

  31. +	u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
    32. 

  32. +	size_t prime_len = sae->tmp->prime_len;
    33. 

  33. +	unsigned int mask;
    34. 

  34.  
    35. 

  35.  	/*
    36. 

  36.  	 * Use the blinding technique to mask y_sqr while determining
    37. 

  37. @@ -248,7 +250,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
    38. 

  38.  	 * r = a random number between 1 and p-1, inclusive
    39. 

  39.  	 * num = (v * r * r) modulo p
    40. 

  40.  	 */
    41. 

  41. -	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
    42. 

  42. +	r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
    43. 

  43.  	if (!r)
    44. 

  44.  		return -1;
    45. 

  45.  
    46. 

  46. @@ -258,41 +260,45 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
    47. 

  47.  	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
    48. 

  48.  		goto fail;
    49. 

  49.  
    50. 

  50. -	if (r_odd) {
    51. 

  51. -		/*
    52. 

  52. -		 * num = (num * qr) module p
    53. 

  53. -		 * LGR(num, p) = 1 ==> quadratic residue
    54. 

  54. -		 */
    55. 

  55. -		if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
    56. 

  56. -			goto fail;
    57. 

  57. -		check = 1;
    58. 

  58. -	} else {
    59. 

  59. -		/*
    60. 

  60. -		 * num = (num * qnr) module p
    61. 

  61. -		 * LGR(num, p) = -1 ==> quadratic residue
    62. 

  62. -		 */
    63. 

  63. -		if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
    64. 

  64. -			goto fail;
    65. 

  65. -		check = -1;
    66. 

  66. -	}
    67. 

  67. +	/*
    68. 

  68. +	 * Need to minimize differences in handling different cases, so try to
    69. 

  69. +	 * avoid branches and timing differences.
    70. 

  70. +	 *
    71. 

  71. +	 * If r_odd:
    72. 

  72. +	 * num = (num * qr) module p
    73. 

  73. +	 * LGR(num, p) = 1 ==> quadratic residue
    74. 

  74. +	 * else:
    75. 

  75. +	 * num = (num * qnr) module p
    76. 

  76. +	 * LGR(num, p) = -1 ==> quadratic residue
    77. 

  77. +	 */
    78. 

  78. +	mask = const_time_is_zero(r_odd);
    79. 

  79. +	const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
    80. 

  80. +	qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
    81. 

  81. +	if (!qr_or_qnr ||
    82. 

  82. +	    crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
    83. 

  83. +		goto fail;
    84. 

  84. +	/* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
    85. 

  85. +	check = const_time_select_int(mask, -1, 1);
    86. 

  86.  
    87. 

  87.  	res = crypto_bignum_legendre(num, sae->tmp->prime);
    88. 

  88.  	if (res == -2) {
    89. 

  89.  		res = -1;
    90. 

  90.  		goto fail;
    91. 

  91.  	}
    92. 

  92. -	res = res == check;
    93. 

  93. +	/* branchless version of res = res == check
    94. 

  94. +	 * (res is -1, 0, or 1; check is -1 or 1) */
    95. 

  95. +	mask = const_time_eq(res, check);
    96. 

  96. +	res = const_time_select_int(mask, 1, 0);
    97. 

  97.  fail:
    98. 

  98.  	crypto_bignum_deinit(num, 1);
    99. 

  99.  	crypto_bignum_deinit(r, 1);
    100. 

  100. +	crypto_bignum_deinit(qr_or_qnr, 1);
    101. 

  101.  	return res;
    102. 

  102.  }
    103. 

  103.  
    104. 

  104.  
    105. 

  105.  static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
    106. 

  106. -				 const u8 *prime,
    107. 

  107. -				 const struct crypto_bignum *qr,
    108. 

  108. -				 const struct crypto_bignum *qnr,
    109. 

  109. +				 const u8 *prime, const u8 *qr, const u8 *qnr,
    110. 

  110.  				 u8 *pwd_value)
    111. 

  111.  {
    112. 

  112.  	struct crypto_bignum *y_sqr, *x_cand;
    113. 

  113. @@ -452,6 +458,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
    114. 

  114.  	struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
    115. 

  115.  	u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
    116. 

  116.  	u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
    117. 

  117. +	u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
    118. 

  118. +	u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
    119. 

  119.  	size_t bits;
    120. 

  120.  	int res = -1;
    121. 

  121.  	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
    122. 

  122. @@ -476,7 +484,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
    123. 

  123.  	 * (qnr) modulo p for blinding purposes during the loop.
    124. 

  124.  	 */
    125. 

  125.  	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
    126. 

  126. -			      &qr, &qnr) < 0)
    127. 

  127. +			      &qr, &qnr) < 0 ||
    128. 

  128. +	    crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
    129. 

  129. +	    crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
    130. 

  130.  		goto fail;
    131. 

  131.  
    132. 

  132.  	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
    133. 

  133. @@ -527,7 +537,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
    134. 

  134.  			break;
    135. 

  135.  
    136. 

  136.  		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
    137. 

  137. -					    prime, qr, qnr, x_cand_bin);
    138. 

  138. +					    prime, qr_bin, qnr_bin, x_cand_bin);
    139. 

  139.  		const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
    140. 

  140.  				      x_bin);
    141. 

  141.  		pwd_seed_odd = const_time_select_u8(
    142. 

  142. -- 
    143. 

  143. 2.7.4
    144. 

  144.