mirror of https://github.com/hak5/openwrt.git
243 lines
7.2 KiB
Diff
243 lines
7.2 KiB
Diff
From 6513db3e96c43c2e36805cf5ead349765d18eaf7 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <jouni@codeaurora.org>
|
|
Date: Tue, 26 Feb 2019 13:05:09 +0200
|
|
Subject: [PATCH 05/14] SAE: Minimize timing differences in PWE derivation
|
|
|
|
The QR test result can provide information about the password to an
|
|
attacker, so try to minimize differences in how the
|
|
sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
|
|
|
|
Use heap memory for the dummy password to allow the same password length
|
|
to be used even with long passwords.
|
|
|
|
Use constant time selection functions to track the real vs. dummy
|
|
variables so that the exact same operations can be performed for both QR
|
|
test results.
|
|
|
|
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
---
|
|
src/common/sae.c | 106 ++++++++++++++++++++++++++++++-------------------------
|
|
1 file changed, 57 insertions(+), 49 deletions(-)
|
|
|
|
--- a/src/common/sae.c
|
|
+++ b/src/common/sae.c
|
|
@@ -9,6 +9,7 @@
|
|
#include "includes.h"
|
|
|
|
#include "common.h"
|
|
+#include "utils/const_time.h"
|
|
#include "crypto/crypto.h"
|
|
#include "crypto/sha256.h"
|
|
#include "crypto/random.h"
|
|
@@ -269,15 +270,12 @@ static int sae_test_pwd_seed_ecc(struct
|
|
const u8 *prime,
|
|
const struct crypto_bignum *qr,
|
|
const struct crypto_bignum *qnr,
|
|
- struct crypto_bignum **ret_x_cand)
|
|
+ u8 *pwd_value)
|
|
{
|
|
- u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
|
|
struct crypto_bignum *y_sqr, *x_cand;
|
|
int res;
|
|
size_t bits;
|
|
|
|
- *ret_x_cand = NULL;
|
|
-
|
|
wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
|
|
|
|
/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
|
|
@@ -286,7 +284,7 @@ static int sae_test_pwd_seed_ecc(struct
|
|
prime, sae->tmp->prime_len, pwd_value, bits) < 0)
|
|
return -1;
|
|
if (bits % 8)
|
|
- buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
|
|
+ buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
|
|
wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
|
|
pwd_value, sae->tmp->prime_len);
|
|
|
|
@@ -297,20 +295,13 @@ static int sae_test_pwd_seed_ecc(struct
|
|
if (!x_cand)
|
|
return -1;
|
|
y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
|
|
- if (!y_sqr) {
|
|
- crypto_bignum_deinit(x_cand, 1);
|
|
+ crypto_bignum_deinit(x_cand, 1);
|
|
+ if (!y_sqr)
|
|
return -1;
|
|
- }
|
|
|
|
res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
|
|
crypto_bignum_deinit(y_sqr, 1);
|
|
- if (res <= 0) {
|
|
- crypto_bignum_deinit(x_cand, 1);
|
|
- return res;
|
|
- }
|
|
-
|
|
- *ret_x_cand = x_cand;
|
|
- return 1;
|
|
+ return res;
|
|
}
|
|
|
|
|
|
@@ -431,25 +422,30 @@ static int sae_derive_pwe_ecc(struct sae
|
|
const u8 *addr[3];
|
|
size_t len[3];
|
|
size_t num_elem;
|
|
- u8 dummy_password[32];
|
|
- size_t dummy_password_len;
|
|
+ u8 *dummy_password, *tmp_password;
|
|
int pwd_seed_odd = 0;
|
|
u8 prime[SAE_MAX_ECC_PRIME_LEN];
|
|
size_t prime_len;
|
|
- struct crypto_bignum *x = NULL, *qr, *qnr;
|
|
+ struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
|
|
+ u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
|
|
+ u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
|
|
size_t bits;
|
|
- int res;
|
|
-
|
|
- dummy_password_len = password_len;
|
|
- if (dummy_password_len > sizeof(dummy_password))
|
|
- dummy_password_len = sizeof(dummy_password);
|
|
- if (random_get_bytes(dummy_password, dummy_password_len) < 0)
|
|
- return -1;
|
|
+ int res = -1;
|
|
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
|
|
+ * mask */
|
|
+
|
|
+ os_memset(x_bin, 0, sizeof(x_bin));
|
|
+
|
|
+ dummy_password = os_malloc(password_len);
|
|
+ tmp_password = os_malloc(password_len);
|
|
+ if (!dummy_password || !tmp_password ||
|
|
+ random_get_bytes(dummy_password, password_len) < 0)
|
|
+ goto fail;
|
|
|
|
prime_len = sae->tmp->prime_len;
|
|
if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
|
|
prime_len) < 0)
|
|
- return -1;
|
|
+ goto fail;
|
|
bits = crypto_ec_prime_len_bits(sae->tmp->ec);
|
|
|
|
/*
|
|
@@ -458,7 +454,7 @@ static int sae_derive_pwe_ecc(struct sae
|
|
*/
|
|
if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
|
|
&qr, &qnr) < 0)
|
|
- return -1;
|
|
+ goto fail;
|
|
|
|
wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
|
|
password, password_len);
|
|
@@ -474,7 +470,7 @@ static int sae_derive_pwe_ecc(struct sae
|
|
*/
|
|
sae_pwd_seed_key(addr1, addr2, addrs);
|
|
|
|
- addr[0] = password;
|
|
+ addr[0] = tmp_password;
|
|
len[0] = password_len;
|
|
num_elem = 1;
|
|
if (identifier) {
|
|
@@ -491,9 +487,8 @@ static int sae_derive_pwe_ecc(struct sae
|
|
* attacks that attempt to determine the number of iterations required
|
|
* in the loop.
|
|
*/
|
|
- for (counter = 1; counter <= k || !x; counter++) {
|
|
+ for (counter = 1; counter <= k || !found; counter++) {
|
|
u8 pwd_seed[SHA256_MAC_LEN];
|
|
- struct crypto_bignum *x_cand;
|
|
|
|
if (counter > 200) {
|
|
/* This should not happen in practice */
|
|
@@ -501,40 +496,49 @@ static int sae_derive_pwe_ecc(struct sae
|
|
break;
|
|
}
|
|
|
|
- wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
|
|
+ wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
|
|
+ const_time_select_bin(found, dummy_password, password,
|
|
+ password_len, tmp_password);
|
|
if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
|
|
addr, len, pwd_seed) < 0)
|
|
break;
|
|
|
|
res = sae_test_pwd_seed_ecc(sae, pwd_seed,
|
|
- prime, qr, qnr, &x_cand);
|
|
+ prime, qr, qnr, x_cand_bin);
|
|
+ const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
|
|
+ x_bin);
|
|
+ pwd_seed_odd = const_time_select_u8(
|
|
+ found, pwd_seed_odd,
|
|
+ pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
|
|
+ os_memset(pwd_seed, 0, sizeof(pwd_seed));
|
|
if (res < 0)
|
|
goto fail;
|
|
- if (res > 0 && !x) {
|
|
- wpa_printf(MSG_DEBUG,
|
|
- "SAE: Selected pwd-seed with counter %u",
|
|
- counter);
|
|
- x = x_cand;
|
|
- pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
|
|
- os_memset(pwd_seed, 0, sizeof(pwd_seed));
|
|
-
|
|
- /*
|
|
- * Use a dummy password for the following rounds, if
|
|
- * any.
|
|
- */
|
|
- addr[0] = dummy_password;
|
|
- len[0] = dummy_password_len;
|
|
- } else if (res > 0) {
|
|
- crypto_bignum_deinit(x_cand, 1);
|
|
- }
|
|
+ /* Need to minimize differences in handling res == 0 and 1 here
|
|
+ * to avoid differences in timing and instruction cache access,
|
|
+ * so use const_time_select_*() to make local copies of the
|
|
+ * values based on whether this loop iteration was the one that
|
|
+ * found the pwd-seed/x. */
|
|
+
|
|
+ /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
|
|
+ * (with res converted to 0/0xff) handles this in constant time.
|
|
+ */
|
|
+ found |= res * 0xff;
|
|
+ wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
|
|
+ res, found);
|
|
}
|
|
|
|
- if (!x) {
|
|
+ if (!found) {
|
|
wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
|
|
res = -1;
|
|
goto fail;
|
|
}
|
|
|
|
+ x = crypto_bignum_init_set(x_bin, prime_len);
|
|
+ if (!x) {
|
|
+ res = -1;
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
if (!sae->tmp->pwe_ecc)
|
|
sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
|
|
if (!sae->tmp->pwe_ecc)
|
|
@@ -543,7 +547,6 @@ static int sae_derive_pwe_ecc(struct sae
|
|
res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
|
|
sae->tmp->pwe_ecc, x,
|
|
pwd_seed_odd);
|
|
- crypto_bignum_deinit(x, 1);
|
|
if (res < 0) {
|
|
/*
|
|
* This should not happen since we already checked that there
|
|
@@ -555,6 +558,11 @@ static int sae_derive_pwe_ecc(struct sae
|
|
fail:
|
|
crypto_bignum_deinit(qr, 0);
|
|
crypto_bignum_deinit(qnr, 0);
|
|
+ os_free(dummy_password);
|
|
+ bin_clear_free(tmp_password, password_len);
|
|
+ crypto_bignum_deinit(x, 1);
|
|
+ os_memset(x_bin, 0, sizeof(x_bin));
|
|
+ os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
|
|
|
|
return res;
|
|
}
|