Inicio Explorar Axuda
Rexistro Iniciar sesión
RD_Software
/
linux-arkmicro
2
0
Fork 1
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: 4528488b0d
Ramas Etiquetas
linux-arkmicro
/
buildroot
/
dl
/
wpa_supplicant
/
0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch

0009-SAE-Use-constant-time-operations-in-sae_test_pwd_see.patch 4.4 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 
  1. From cff138b0747fa39765cbc641b66cfa5d7f1735d1 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jouni Malinen <jouni@codeaurora.org>
    3. 

  3. Date: Sat, 2 Mar 2019 16:05:56 +0200
    4. 

  4. Subject: [PATCH 09/14] SAE: Use constant time operations in
    5. 

  5.  sae_test_pwd_seed_ffc()
    6. 

  6. 

  7. Try to avoid showing externally visible timing or memory access
    8. 

  8. differences regardless of whether the derived pwd-value is smaller than
    9. 

  9. the group prime.
    10. 

  10. 

  11. This is related to CVE-2019-9494.
    12. 

  12. 

  13. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
    14. 

  14. ---
    15. 

  15.  src/common/sae.c | 75 ++++++++++++++++++++++++++++++++++----------------------
    16. 

  16.  1 file changed, 46 insertions(+), 29 deletions(-)
    17. 

  17. 

  18. diff --git a/src/common/sae.c b/src/common/sae.c
    19. 

  19. index fa9a145..eaf825d 100644
    20. 

  20. --- a/src/common/sae.c
    21. 

  21. +++ b/src/common/sae.c
    22. 

  22. @@ -334,14 +334,17 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
    23. 

  23.  }
    24. 

  24.  
    25. 

  25.  
    26. 

  26. +/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
    27. 

  27. + * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
    28. 

  28.  static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
    29. 

  29.  				 struct crypto_bignum *pwe)
    30. 

  30.  {
    31. 

  31.  	u8 pwd_value[SAE_MAX_PRIME_LEN];
    32. 

  32.  	size_t bits = sae->tmp->prime_len * 8;
    33. 

  33.  	u8 exp[1];
    34. 

  34. -	struct crypto_bignum *a, *b;
    35. 

  35. -	int res;
    36. 

  36. +	struct crypto_bignum *a, *b = NULL;
    37. 

  37. +	int res, is_val;
    38. 

  38. +	u8 pwd_value_valid;
    39. 

  39.  
    40. 

  40.  	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
    41. 

  41.  
    42. 

  42. @@ -353,16 +356,29 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
    43. 

  43.  	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
    44. 

  44.  			sae->tmp->prime_len);
    45. 

  45.  
    46. 

  46. -	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
    47. 

  47. -	{
    48. 

  48. -		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
    49. 

  49. -		return 0;
    50. 

  50. -	}
    51. 

  51. +	/* Check whether pwd-value < p */
    52. 

  52. +	res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
    53. 

  53. +				sae->tmp->prime_len);
    54. 

  54. +	/* pwd-value >= p is invalid, so res is < 0 for the valid cases and
    55. 

  55. +	 * the negative sign can be used to fill the mask for constant time
    56. 

  56. +	 * selection */
    57. 

  57. +	pwd_value_valid = const_time_fill_msb(res);
    58. 

  58. +
    59. 

  59. +	/* If pwd-value >= p, force pwd-value to be < p and perform the
    60. 

  60. +	 * calculations anyway to hide timing difference. The derived PWE will
    61. 

  61. +	 * be ignored in that case. */
    62. 

  62. +	pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
    63. 

  63.  
    64. 

  64.  	/* PWE = pwd-value^((p-1)/r) modulo p */
    65. 

  65.  
    66. 

  66. +	res = -1;
    67. 

  67.  	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
    68. 

  68. +	if (!a)
    69. 

  69. +		goto fail;
    70. 

  70.  
    71. 

  71. +	/* This is an optimization based on the used group that does not depend
    72. 

  72. +	 * on the password in any way, so it is fine to use separate branches
    73. 

  73. +	 * for this step without constant time operations. */
    74. 

  74.  	if (sae->tmp->dh->safe_prime) {
    75. 

  75.  		/*
    76. 

  76.  		 * r = (p-1)/2 for the group used here, so this becomes:
    77. 

  77. @@ -376,33 +392,34 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
    78. 

  78.  		b = crypto_bignum_init_set(exp, sizeof(exp));
    79. 

  79.  		if (b == NULL ||
    80. 

  80.  		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
    81. 

  81. -		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
    82. 

  82. -			crypto_bignum_deinit(b, 0);
    83. 

  83. -			b = NULL;
    84. 

  84. -		}
    85. 

  85. +		    crypto_bignum_div(b, sae->tmp->order, b) < 0)
    86. 

  86. +			goto fail;
    87. 

  87.  	}
    88. 

  88.  
    89. 

  89. -	if (a == NULL || b == NULL)
    90. 

  90. -		res = -1;
    91. 

  91. -	else
    92. 

  92. -		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
    93. 

  93. -
    94. 

  94. -	crypto_bignum_deinit(a, 0);
    95. 

  95. -	crypto_bignum_deinit(b, 0);
    96. 

  96. +	if (!b)
    97. 

  97. +		goto fail;
    98. 

  98.  
    99. 

  99. -	if (res < 0) {
    100. 

  100. -		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
    101. 

  101. -		return -1;
    102. 

  102. -	}
    103. 

  103. +	res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
    104. 

  104. +	if (res < 0)
    105. 

  105. +		goto fail;
    106. 

  106.  
    107. 

  107. -	/* if (PWE > 1) --> found */
    108. 

  108. -	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
    109. 

  109. -		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
    110. 

  110. -		return 0;
    111. 

  111. -	}
    112. 

  112. +	/* There were no fatal errors in calculations, so determine the return
    113. 

  113. +	 * value using constant time operations. We get here for number of
    114. 

  114. +	 * invalid cases which are cleared here after having performed all the
    115. 

  115. +	 * computation. PWE is valid if pwd-value was less than prime and
    116. 

  116. +	 * PWE > 1. Start with pwd-value check first and then use constant time
    117. 

  117. +	 * operations to clear res to 0 if PWE is 0 or 1.
    118. 

  118. +	 */
    119. 

  119. +	res = const_time_select_u8(pwd_value_valid, 1, 0);
    120. 

  120. +	is_val = crypto_bignum_is_zero(pwe);
    121. 

  121. +	res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
    122. 

  122. +	is_val = crypto_bignum_is_one(pwe);
    123. 

  123. +	res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
    124. 

  124.  
    125. 

  125. -	wpa_printf(MSG_DEBUG, "SAE: PWE found");
    126. 

  126. -	return 1;
    127. 

  127. +fail:
    128. 

  128. +	crypto_bignum_deinit(a, 1);
    129. 

  129. +	crypto_bignum_deinit(b, 1);
    130. 

  130. +	return res;
    131. 

  131.  }
    132. 

  132.  
    133. 

  133.  
    134. 

  134. -- 
    135. 

  135. 2.7.4
    136. 

  136.