CVS commit: src/external/bsd/wpa/dist
Module Name:src Committed By: christos Date: Tue Feb 13 18:43:45 UTC 2024 Modified Files: src/external/bsd/wpa/dist/src/eap_peer: eap_config.h eap_peap.c eap_tls_common.c eap_tls_common.h src/external/bsd/wpa/dist/wpa_supplicant: wpa_supplicant.conf Log Message: https://www.phoronix.com/news/IWD-WPA-WiFi-Auth-Vulns https://www.top10vpn.com/research/wifi-vulnerabilities/ PEAP client: Update Phase 2 authentication requirements The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. Allow Phase 2 authentication behavior to be configured with a new phase1 configuration parameter option: 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS tunnel) behavior for PEAP: * 0 = do not require Phase 2 authentication * 1 = require Phase 2 authentication when client certificate (private_key/client_cert) is no used and TLS session resumption was not used (default) * 2 = require Phase 2 authentication in all cases To generate a diff of this commit: cvs rdiff -u -r1.1.1.7 -r1.2 \ src/external/bsd/wpa/dist/src/eap_peer/eap_config.h \ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h cvs rdiff -u -r1.1.1.8 -r1.2 \ src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c \ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c cvs rdiff -u -r1.1.1.8 -r1.2 \ src/external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist
Module Name:src Committed By: christos Date: Tue Feb 13 18:43:45 UTC 2024 Modified Files: src/external/bsd/wpa/dist/src/eap_peer: eap_config.h eap_peap.c eap_tls_common.c eap_tls_common.h src/external/bsd/wpa/dist/wpa_supplicant: wpa_supplicant.conf Log Message: https://www.phoronix.com/news/IWD-WPA-WiFi-Auth-Vulns https://www.top10vpn.com/research/wifi-vulnerabilities/ PEAP client: Update Phase 2 authentication requirements The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. Allow Phase 2 authentication behavior to be configured with a new phase1 configuration parameter option: 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS tunnel) behavior for PEAP: * 0 = do not require Phase 2 authentication * 1 = require Phase 2 authentication when client certificate (private_key/client_cert) is no used and TLS session resumption was not used (default) * 2 = require Phase 2 authentication in all cases To generate a diff of this commit: cvs rdiff -u -r1.1.1.7 -r1.2 \ src/external/bsd/wpa/dist/src/eap_peer/eap_config.h \ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h cvs rdiff -u -r1.1.1.8 -r1.2 \ src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c \ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c cvs rdiff -u -r1.1.1.8 -r1.2 \ src/external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/eap_peer/eap_config.h diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.1.1.7 src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.2 --- src/external/bsd/wpa/dist/src/eap_peer/eap_config.h:1.1.1.7 Sun Feb 28 20:37:57 2021 +++ src/external/bsd/wpa/dist/src/eap_peer/eap_config.h Tue Feb 13 13:43:45 2024 @@ -470,6 +470,14 @@ struct eap_peer_config { * 1 = use cryptobinding if server supports it * 2 = require cryptobinding * + * phase2_auth option can be used to control Phase 2 (i.e., within TLS + * tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + * (private_key/client_cert) is no used and TLS session resumption was + * not used (default) + * 2 = require Phase 2 authentication in all cases + * * EAP-WSC (WPS) uses following options: pin=Device_Password and * uuid=Device_UUID * Index: src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.1.1.7 src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.2 --- src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h:1.1.1.7 Sun Feb 28 20:37:57 2021 +++ src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h Tue Feb 13 13:43:45 2024 @@ -79,6 +79,11 @@ struct eap_ssl_data { * tls_v13 - Whether TLS v1.3 or newer is used */ int tls_v13; + + /** + * client_cert_conf: Whether client certificate has been configured + */ + bool client_cert_conf; }; Index: src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c diff -u src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.1.1.8 src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.2 --- src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c:1.1.1.8 Sun Feb 28 20:37:57 2021 +++ src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c Tue Feb 13 13:43:45 2024 @@ -67,6 +67,7 @@ struct eap_peap_data { u8 cmk[20]; int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) * is enabled. */ + enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; }; @@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); } + if (os_strstr(phase1, "phase2_auth=0")) { + data->phase2_auth = NO_AUTH; + wpa_printf(MSG_DEBUG, +
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Thu Sep 12 23:46:11 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c Log Message: [PATCH] AP: Silently ignore management frame from unexpected source address Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/ap
Module Name:src Committed By: christos Date: Thu Sep 12 23:46:11 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/ap: drv_callbacks.c ieee802_11.c Log Message: [PATCH] AP: Silently ignore management frame from unexpected source address Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/src/ap/ieee802_11.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/ap/drv_callbacks.c diff -u src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4 src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.5 --- src/external/bsd/wpa/dist/src/ap/drv_callbacks.c:1.4 Fri Jan 4 16:22:20 2019 +++ src/external/bsd/wpa/dist/src/ap/drv_callbacks.c Thu Sep 12 19:46:11 2019 @@ -129,6 +129,19 @@ int hostapd_notif_assoc(struct hostapd_d "hostapd_notif_assoc: Skip event with no address"); return -1; } + + if (is_multicast_ether_addr(addr) || + is_zero_ether_addr(addr) || + os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { + /* Do not process any frames with unexpected/invalid SA so that + * we do not add any state for unexpected STA addresses or end + * up sending out frames to unexpected destination. */ + wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR + " in received indication - ignore this indication silently", + __func__, MAC2STR(addr)); + return 0; + } + random_add_randomness(addr, ETH_ALEN); hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, Index: src/external/bsd/wpa/dist/src/ap/ieee802_11.c diff -u src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3 src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.4 --- src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.3 Fri Jan 4 16:22:20 2019 +++ src/external/bsd/wpa/dist/src/ap/ieee802_11.c Thu Sep 12 19:46:11 2019 @@ -3978,6 +3978,18 @@ int ieee802_11_mgmt(struct hostapd_data fc = le_to_host16(mgmt->frame_control); stype = WLAN_FC_GET_STYPE(fc); + if (is_multicast_ether_addr(mgmt->sa) || + is_zero_ether_addr(mgmt->sa) || + os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { + /* Do not process any frames with unexpected/invalid SA so that + * we do not add any state for unexpected STA addresses or end + * up sending out frames to unexpected destination. */ + wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR + " in received frame - ignore this frame silently", + MAC2STR(mgmt->sa)); + return 0; + } + if (stype == WLAN_FC_STYPE_BEACON) { handle_beacon(hapd, mgmt, len, fi); return 1;
CVS commit: src/external/bsd/wpa/dist/src/eap_common
Module Name:src Committed By: christos Date: Thu Aug 8 09:56:41 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c Log Message: EAP-pwd: Run through prf result processing even if it >= prime This reduces differences in timing and memory access within the hunting-and-pecking loop for ECC groups that have a prime that is not close to a power of two (e.g., Brainpool curves). Signed-off-by: Jouni Malinen (cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 \ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/eap_common
Module Name:src Committed By: christos Date: Thu Aug 8 09:56:41 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c Log Message: EAP-pwd: Run through prf result processing even if it >= prime This reduces differences in timing and memory access within the hunting-and-pecking loop for ECC groups that have a prime that is not close to a power of two (e.g., Brainpool curves). Signed-off-by: Jouni Malinen (cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5) To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 \ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.5 --- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 Thu Aug 8 04:58:40 2019 +++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Thu Aug 8 05:56:41 2019 @@ -142,6 +142,8 @@ int compute_password_element(EAP_PWD_gro struct crypto_bignum *x_candidate = NULL, *cofactor = NULL; const struct crypto_bignum *prime; u8 mask, found_ctr = 0, is_odd = 0; + int cmp_prime; + unsigned int in_range; if (grp->pwe) return -1; @@ -234,8 +236,13 @@ int compute_password_element(EAP_PWD_gro if (primebitlen % 8) buf_shift_right(prfbuf, primebytelen, 8 - primebitlen % 8); - if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) - continue; + cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen); + /* Create a const_time mask for selection based on prf result + * being smaller than prime. */ + in_range = const_time_fill_msb((unsigned int) cmp_prime); + /* The algorithm description would skip the next steps if + * cmp_prime >= 0, but go through them regardless to minimize + * externally observable differences in behavior. */ crypto_bignum_deinit(x_candidate, 1); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); @@ -298,7 +305,7 @@ int compute_password_element(EAP_PWD_gro goto fail; mask = const_time_eq(res, check); found_ctr = const_time_select_u8(found, found_ctr, ctr); - found |= mask; + found |= mask & in_range; } if (found == 0) { wpa_printf(MSG_INFO,
CVS commit: src/external/bsd/wpa/dist/src/common
Module Name:src Committed By: christos Date: Thu Aug 8 09:56:10 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/common: sae.c Log Message: SAE: Run through prf result processing even if it >= prime This reduces differences in timing and memory access within the hunting-and-pecking loop for ECC groups that have a prime that is not close to a power of two (e.g., Brainpool curves). Signed-off-by: Jouni Malinen (cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503) To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/wpa/dist/src/common/sae.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/common/sae.c diff -u src/external/bsd/wpa/dist/src/common/sae.c:1.8 src/external/bsd/wpa/dist/src/common/sae.c:1.9 --- src/external/bsd/wpa/dist/src/common/sae.c:1.8 Thu Aug 8 04:55:48 2019 +++ src/external/bsd/wpa/dist/src/common/sae.c Thu Aug 8 05:56:10 2019 @@ -281,6 +281,8 @@ static int sae_test_pwd_seed_ecc(struct struct crypto_bignum *y_sqr, *x_cand; int res; size_t bits; + int cmp_prime; + unsigned int in_range; wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); @@ -294,8 +296,13 @@ static int sae_test_pwd_seed_ecc(struct wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, sae->tmp->prime_len); - if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) - return 0; + cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); + /* Create a const_time mask for selection based on prf result + * being smaller than prime. */ + in_range = const_time_fill_msb((unsigned int) cmp_prime); + /* The algorithm description would skip the next steps if + * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to + * minimize externally observable differences in behavior. */ x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); if (!x_cand) @@ -307,7 +314,9 @@ static int sae_test_pwd_seed_ecc(struct res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr); crypto_bignum_deinit(y_sqr, 1); - return res; + if (res < 0) + return res; + return const_time_select_int(in_range, res, 0); }
CVS commit: src/external/bsd/wpa/dist/src/common
Module Name:src Committed By: christos Date: Thu Aug 8 09:56:10 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/common: sae.c Log Message: SAE: Run through prf result processing even if it >= prime This reduces differences in timing and memory access within the hunting-and-pecking loop for ECC groups that have a prime that is not close to a power of two (e.g., Brainpool curves). Signed-off-by: Jouni Malinen (cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503) To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/external/bsd/wpa/dist/src/common/sae.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/crypto
Module Name:src Committed By: christos Date: Thu Aug 8 09:55:32 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/crypto: crypto_openssl.c Log Message: OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid differences in runtime and memory access patterns depending on the leading bytes of the BIGNUM value. OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases are still using the previous implementation where the BN_num_bytes() call may result in different memory access pattern. Signed-off-by: Jouni Malinen (cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3) To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c diff -u src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.3 src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.4 --- src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c:1.3 Wed Apr 10 13:56:43 2019 +++ src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Thu Aug 8 05:55:32 2019 @@ -1227,7 +1227,13 @@ void crypto_bignum_deinit(struct crypto_ int crypto_bignum_to_bin(const struct crypto_bignum *a, u8 *buf, size_t buflen, size_t padlen) { +#ifdef OPENSSL_IS_BORINGSSL +#else /* OPENSSL_IS_BORINGSSL */ +#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) +#else int num_bytes, offset; +#endif +#endif /* OPENSSL_IS_BORINGSSL */ if (TEST_FAIL()) return -1; @@ -1235,6 +1241,14 @@ int crypto_bignum_to_bin(const struct cr if (padlen > buflen) return -1; +#ifdef OPENSSL_IS_BORINGSSL + if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0) + return -1; + return padlen; +#else /* OPENSSL_IS_BORINGSSL */ +#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) + return BN_bn2binpad((const BIGNUM *) a, buf, padlen); +#else num_bytes = BN_num_bytes((const BIGNUM *) a); if ((size_t) num_bytes > buflen) return -1; @@ -1247,6 +1261,8 @@ int crypto_bignum_to_bin(const struct cr BN_bn2bin((const BIGNUM *) a, buf + offset); return num_bytes + offset; +#endif +#endif /* OPENSSL_IS_BORINGSSL */ }
CVS commit: src/external/bsd/wpa/dist/src/crypto
Module Name:src Committed By: christos Date: Thu Aug 8 09:55:32 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/crypto: crypto_openssl.c Log Message: OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid differences in runtime and memory access patterns depending on the leading bytes of the BIGNUM value. OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases are still using the previous implementation where the BN_num_bytes() call may result in different memory access pattern. Signed-off-by: Jouni Malinen (cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3) To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/external/bsd/wpa/dist/src/crypto/crypto_openssl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/eap_common
Module Name:src Committed By: christos Date: Thu Aug 8 08:58:40 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c Log Message: EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison This reduces timing and memory access pattern differences for an operation that could depend on the used password. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c diff -u src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.4 --- src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c:1.3 Wed Apr 10 13:57:15 2019 +++ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Thu Aug 8 04:58:40 2019 @@ -131,6 +131,7 @@ int compute_password_element(EAP_PWD_gro u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN]; + u8 prime_bin[MAX_ECC_PRIME_LEN]; struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; @@ -148,6 +149,11 @@ int compute_password_element(EAP_PWD_gro os_memset(x_bin, 0, sizeof(x_bin)); prime = crypto_ec_get_prime(grp->group); + primebitlen = crypto_ec_prime_len_bits(grp->group); + primebytelen = crypto_ec_prime_len(grp->group); + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), + primebytelen) < 0) + return -1; cofactor = crypto_bignum_init(); grp->pwe = crypto_ec_point_init(grp->group); tmp1 = crypto_bignum_init(); @@ -163,8 +169,6 @@ int compute_password_element(EAP_PWD_gro "curve"); goto fail; } - primebitlen = crypto_ec_prime_len_bits(grp->group); - primebytelen = crypto_ec_prime_len(grp->group); if ((prfbuf = os_malloc(primebytelen)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " "buffer"); @@ -230,6 +234,8 @@ int compute_password_element(EAP_PWD_gro if (primebitlen % 8) buf_shift_right(prfbuf, primebytelen, 8 - primebitlen % 8); + if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) + continue; crypto_bignum_deinit(x_candidate, 1); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); @@ -239,9 +245,6 @@ int compute_password_element(EAP_PWD_gro goto fail; } - if (crypto_bignum_cmp(x_candidate, prime) >= 0) - continue; - wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", prfbuf, primebytelen); const_time_select_bin(found, x_bin, prfbuf, primebytelen,
CVS commit: src/external/bsd/wpa/dist/src/eap_common
Module Name:src Committed By: christos Date: Thu Aug 8 08:58:40 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/eap_common: eap_pwd_common.c Log Message: EAP-pwd: Use const_time_memcmp() for pwd_value >= prime comparison This reduces timing and memory access pattern differences for an operation that could depend on the used password. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 \ src/external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/external/bsd/wpa/dist/src/common
Module Name:src Committed By: christos Date: Thu Aug 8 08:55:48 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/common: sae.c Log Message: SAE: Use const_time_memcmp() for pwd_value >= prime comparison This reduces timing and memory access pattern differences for an operation that could depend on the used password. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/wpa/dist/src/common/sae.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/common/sae.c diff -u src/external/bsd/wpa/dist/src/common/sae.c:1.7 src/external/bsd/wpa/dist/src/common/sae.c:1.8 --- src/external/bsd/wpa/dist/src/common/sae.c:1.7 Wed Apr 10 14:01:08 2019 +++ src/external/bsd/wpa/dist/src/common/sae.c Thu Aug 8 04:55:48 2019 @@ -294,7 +294,7 @@ static int sae_test_pwd_seed_ecc(struct wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, sae->tmp->prime_len); - if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) + if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) return 0; x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
CVS commit: src/external/bsd/wpa/dist/src/common
Module Name:src Committed By: christos Date: Thu Aug 8 08:55:48 UTC 2019 Modified Files: src/external/bsd/wpa/dist/src/common: sae.c Log Message: SAE: Use const_time_memcmp() for pwd_value >= prime comparison This reduces timing and memory access pattern differences for an operation that could depend on the used password. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/external/bsd/wpa/dist/src/common/sae.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/external/bsd/wpa/dist/src/drivers
In article <20160119150829.60108f...@cvs.netbsd.org>, Roy Marpleswrote: >-=-=-=-=-=- > >Module Name: src >Committed By: roy >Date: Tue Jan 19 15:08:29 UTC 2016 > >Modified Files: > src/external/bsd/wpa/dist/src/drivers: driver_bsd.c > >Log Message: >Don't log RTM messages we aren't interested in at all. But these were debugging printfs... christos